linux/include/net
Joy Latten 4aa2e62c45 xfrm: Add security check before flushing SAD/SPD
Currently we check for permission before deleting entries from SAD and
SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete())
However we are not checking for authorization when flushing the SPD and
the SAD completely. It was perhaps missed in the original security hooks
patch.

This patch adds a security check when flushing entries from the SAD and
SPD.  It runs the entire database and checks each entry for a denial.
If the process attempting the flush is unable to remove all of the
entries a denial is logged the the flush function returns an error
without removing anything.

This is particularly useful when a process may need to create or delete
its own xfrm entries used for things like labeled networking but that
same process should not be able to delete other entries or flush the
entire database.

Signed-off-by: Joy Latten<latten@austin.ibm.com>
Signed-off-by: Eric Paris <eparis@parisplace.org>
Signed-off-by: James Morris <jmorris@namei.org>
2007-06-07 13:42:46 -07:00
..
bluetooth [Bluetooth] Fix L2CAP configuration parameter handling 2007-05-24 14:27:19 +02:00
irda include files: convert "include" subdirectory to UTF-8 2007-05-09 08:58:21 +02:00
iucv [AF_IUCV]: Implementation of a skb backlog queue 2007-05-04 12:22:07 -07:00
netfilter [NETFILTER]: nf_conntrack: Removes unused destroy operation of l3proto 2007-05-10 23:47:46 -07:00
sctp [SCTP]: Set assoc_id correctly during INIT collision. 2007-05-04 13:55:27 -07:00
tc_act
tipc
act_api.h
addrconf.h [IPV6] ADDRCONF: Optimistic Duplicate Address Detection (RFC 4429) Support. 2007-04-25 22:23:43 -07:00
af_rxrpc.h [AF_RXRPC]: Add an interface to the AF_RXRPC module for the AFS filesystem to use 2007-04-26 15:50:17 -07:00
af_unix.h [AF_UNIX]: Make socket locking much less confusing. 2007-06-03 18:08:40 -07:00
ah.h
arp.h
atmclip.h
ax25.h [SK_BUFF]: Introduce skb_reset_mac_header(skb) 2007-04-25 22:24:32 -07:00
cfg80211.h [WIRELESS] cfg80211: Update comment for locking. 2007-04-25 22:29:48 -07:00
checksum.h
cipso_ipv4.h [SK_BUFF]: Introduce skb_network_header() 2007-04-25 22:24:59 -07:00
compat.h [NET]: Introduce SIOCGSTAMPNS ioctl to get timestamps with nanosec resolution 2007-04-25 22:24:04 -07:00
datalink.h
dn_dev.h
dn_fib.h [DECNet]: Use rtnl registration interface 2007-04-25 22:27:12 -07:00
dn_neigh.h
dn_nsp.h
dn_route.h [DECNet]: Use rtnl registration interface 2007-04-25 22:27:12 -07:00
dn.h
dsfield.h
dst.h [XFRM]: Allow packet drops during larval state resolution. 2007-05-24 18:17:54 -07:00
esp.h [NET]: Move generic skbuff stuff from XFRM code to generic code 2007-04-25 22:28:33 -07:00
fib_rules.h [NETLINK]: Mark netlink policies const 2007-06-07 13:40:10 -07:00
flow.h [XFRM]: Restrict upper layer information by bundle. 2007-04-30 00:58:09 -07:00
gen_stats.h
genetlink.h [NETLINK]: Mark netlink policies const 2007-06-07 13:40:10 -07:00
icmp.h
ieee80211_crypt.h [PATCH] Update my email address from jkmaline@cc.hut.fi to j@w1.fi 2007-04-28 11:01:01 -04:00
ieee80211_radiotap.h [PATCH] Remove comment about IEEE80211_RADIOTAP_FCS 2007-04-28 11:01:03 -04:00
ieee80211.h [PATCH] ieee80211: add ieee80211_channel_to_freq 2007-05-08 11:51:59 -04:00
ieee80211softmac_wx.h
ieee80211softmac.h
if_inet6.h
inet6_connection_sock.h
inet6_hashtables.h [INET]: Use jhash + random secret for ehash. 2007-04-25 22:28:06 -07:00
inet_common.h
inet_connection_sock.h
inet_ecn.h [SK_BUFF]: Convert skb->tail to sk_buff_data_t 2007-04-25 22:26:28 -07:00
inet_hashtables.h
inet_sock.h [INET]: Use jhash + random secret for ehash. 2007-04-25 22:28:06 -07:00
inet_timewait_sock.h
inetpeer.h
ip6_checksum.h
ip6_fib.h [IPv6]: Use rtnl registration interface 2007-04-25 22:27:13 -07:00
ip6_route.h [IPv6]: Use rtnl registration interface 2007-04-25 22:27:13 -07:00
ip6_tunnel.h
ip_fib.h [NETLINK]: Mark netlink policies const 2007-06-07 13:40:10 -07:00
ip_mp_alg.h
ip_vs.h
ip.h [TCP]: Honour sk_bound_dev_if in tcp_v4_send_ack 2007-06-07 13:38:51 -07:00
ipcomp.h
ipconfig.h
ipip.h
ipv6.h [XFRM]: Allow packet drops during larval state resolution. 2007-05-24 18:17:54 -07:00
ipx.h [SK_BUFF]: Introduce skb_transport_header(skb) 2007-04-25 22:25:31 -07:00
iw_handler.h [WEXT]: Clean up how wext is called. 2007-04-26 20:43:56 -07:00
lapb.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h [SK_BUFF]: Introduce skb_network_header() 2007-04-25 22:24:59 -07:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h
mac80211.h [MAC80211]: Add mac80211 wireless stack. 2007-05-05 11:45:53 -07:00
mip6.h
ndisc.h
neighbour.h [NEIGH]: Use rtnl registration interface 2007-04-25 22:27:06 -07:00
netdma.h
netevent.h
netlabel.h
netlink.h [NETLINK]: Mark netlink policies const 2007-06-07 13:40:10 -07:00
netrom.h
nexthop.h
p8022.h
pkt_cls.h [SK_BUFF]: Convert skb->tail to sk_buff_data_t 2007-04-25 22:26:28 -07:00
pkt_sched.h [NET_SCHED]: Eliminate qdisc_tree_lock 2007-04-25 22:29:07 -07:00
protocol.h
psnap.h
raw.h
rawv6.h
red.h [NET_SCHED]: turn PSCHED_GET_TIME into inline function 2007-04-25 22:27:55 -07:00
request_sock.h
rose.h
route.h
rtnetlink.h [NETLINK]: Possible cleanups. 2007-04-26 00:57:41 -07:00
sch_generic.h [NET_SCHED]: Unline tcf_destroy 2007-04-25 22:27:56 -07:00
scm.h
slhc_vj.h
snmp.h
sock.h [SOCK]: Shrink struct sock by 8 bytes on 64-bit. 2007-05-31 01:23:32 -07:00
syncppp.h
tcp_ecn.h [TCP]: Sed magic converts func(sk, tp, ...) -> func(sk, ...) 2007-04-25 22:29:34 -07:00
tcp_states.h
tcp.h [TCP]: Consolidate checking for tcp orphan count being too big. 2007-05-31 01:23:34 -07:00
timewait_sock.h
transp_v6.h
udp.h [UDP]: Revert 2-pass hashing changes. 2007-06-07 13:40:50 -07:00
udplite.h [UDP]: Revert 2-pass hashing changes. 2007-06-07 13:40:50 -07:00
wext.h [NET]: Fix networking compilation errors 2007-04-27 15:31:24 -07:00
wireless.h [WIRELESS] cfg80211: New wireless config infrastructure. 2007-04-25 22:29:41 -07:00
x25.h
x25device.h [SK_BUFF]: Introduce skb_reset_mac_header(skb) 2007-04-25 22:24:32 -07:00
xfrm.h xfrm: Add security check before flushing SAD/SPD 2007-06-07 13:42:46 -07:00