aboutsummaryrefslogtreecommitdiff
path: root/net/xfrm/xfrm_policy.c
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-04-12 19:07:52 -0700
committerDavid S. Miller <davem@davemloft.net>2008-04-12 19:07:52 -0700
commit03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b (patch)
tree1e7f291ac6bd0c1f3a95e8252c32fcce7ff47ea7 /net/xfrm/xfrm_policy.c
parent00447872a643787411c2c0cb1df6169dda8b0c47 (diff)
LSM: Make the Labeled IPsec hooks more stack friendly
The xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs on the stack to work around the LSM API. This patch attempts to fix that problem by changing the LSM API to require only the relevant "security" pointers instead of the entire SPD entry; we do this for all of the security_xfrm_policy*() functions to keep things consistent. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_policy.c')
-rw-r--r--net/xfrm/xfrm_policy.c24
1 files changed, 15 insertions, 9 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 15d73e47cc2..ab4d0e598a2 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -263,7 +263,7 @@ void xfrm_policy_destroy(struct xfrm_policy *policy)
list_del(&policy->bytype);
write_unlock_bh(&xfrm_policy_lock);
- security_xfrm_policy_free(policy);
+ security_xfrm_policy_free(policy->security);
kfree(policy);
}
EXPORT_SYMBOL(xfrm_policy_destroy);
@@ -676,7 +676,8 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
xfrm_sec_ctx_match(ctx, pol->security)) {
xfrm_pol_hold(pol);
if (delete) {
- *err = security_xfrm_policy_delete(pol);
+ *err = security_xfrm_policy_delete(
+ pol->security);
if (*err) {
write_unlock_bh(&xfrm_policy_lock);
return pol;
@@ -718,7 +719,8 @@ struct xfrm_policy *xfrm_policy_byid(u8 type, int dir, u32 id, int delete,
if (pol->type == type && pol->index == id) {
xfrm_pol_hold(pol);
if (delete) {
- *err = security_xfrm_policy_delete(pol);
+ *err = security_xfrm_policy_delete(
+ pol->security);
if (*err) {
write_unlock_bh(&xfrm_policy_lock);
return pol;
@@ -756,7 +758,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
&xfrm_policy_inexact[dir], bydst) {
if (pol->type != type)
continue;
- err = security_xfrm_policy_delete(pol);
+ err = security_xfrm_policy_delete(pol->security);
if (err) {
xfrm_audit_policy_delete(pol, 0,
audit_info->loginuid,
@@ -770,7 +772,8 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
bydst) {
if (pol->type != type)
continue;
- err = security_xfrm_policy_delete(pol);
+ err = security_xfrm_policy_delete(
+ pol->security);
if (err) {
xfrm_audit_policy_delete(pol, 0,
audit_info->loginuid,
@@ -931,7 +934,8 @@ static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl,
match = xfrm_selector_match(sel, fl, family);
if (match)
- ret = security_xfrm_policy_lookup(pol, fl->secid, dir);
+ ret = security_xfrm_policy_lookup(pol->security, fl->secid,
+ dir);
return ret;
}
@@ -1048,8 +1052,9 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struc
int err = 0;
if (match) {
- err = security_xfrm_policy_lookup(pol, fl->secid,
- policy_to_flow_dir(dir));
+ err = security_xfrm_policy_lookup(pol->security,
+ fl->secid,
+ policy_to_flow_dir(dir));
if (!err)
xfrm_pol_hold(pol);
else if (err == -ESRCH)
@@ -1138,7 +1143,8 @@ static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir)
if (newp) {
newp->selector = old->selector;
- if (security_xfrm_policy_clone(old, newp)) {
+ if (security_xfrm_policy_clone(old->security,
+ &newp->security)) {
kfree(newp);
return NULL; /* ENOMEM */
}