From: Eric Paris <[EMAIL PROTECTED]> Date: Fri, 02 Mar 2007 13:29:50 -0500
> The security hooks to check permissions to remove an xfrm_policy were > actually done after the policy was removed. Since the unlinking and > deletion are done in xfrm_policy_by* functions this moves the hooks > inside those 2 functions. There we have all the information needed to > do the security check and it can be done before the deletion. Since > auditing requires the result of that security check err has to be passed > back and forth from the xfrm_policy_by* functions. > > This patch also fixes a bug where a deletion that failed the security > check could cause improper accounting on the xfrm_policy > (xfrm_get_policy didn't have a put on the exit path for the hold taken > by xfrm_policy_by*) > > It also fixes the return code when no policy is found in > xfrm_add_pol_expire. In old code (at least back in the 2.6.18 days) err > wasn't used before the return when no policy is found and so the > initialization would cause err to be ENOENT. But since err has since > been used above when we don't get a policy back from the xfrm_policy_by* > function we would always return 0 instead of the intended ENOENT. Also > fixed some white space damage in the same area. > > Signed-off-by: Eric Paris <[EMAIL PROTECTED]> Applied. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
