ctx_doi was being compared against XFRM_SC_ALG_SELINUX. This is wrong.
Additionally, if we're going to use XFRM_SC_DOI_LSM as the "lsm doi",
then add a check for it. A (likeable) alternative is to remove the check
for
(ctx->ctx_doi == XFRM_SC_DOI_LSM)
in selinux_authorizable_ctx().
Signed-off-by: Serge E. Hallyn <[EMAIL PROTECTED]>
---
security/selinux/xfrm.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 3e742b8..b071c0d 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -211,7 +211,9 @@ static int selinux_xfrm_sec_ctx_alloc(st
if (!uctx)
goto not_from_user;
- if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
+ if (uctx->ctx_doi != XFRM_SC_DOI_LSM)
+ return -EINVAL;
+ if (uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
return -EINVAL;
if (uctx->ctx_len >= PAGE_SIZE)
--
1.4.2
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
