diff options
Diffstat (limited to 'testing/linux-grsec/0005-xfrm-SP-lookups-with-mark.patch')
-rw-r--r-- | testing/linux-grsec/0005-xfrm-SP-lookups-with-mark.patch | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/testing/linux-grsec/0005-xfrm-SP-lookups-with-mark.patch b/testing/linux-grsec/0005-xfrm-SP-lookups-with-mark.patch new file mode 100644 index 00000000..9793ba24 --- /dev/null +++ b/testing/linux-grsec/0005-xfrm-SP-lookups-with-mark.patch @@ -0,0 +1,81 @@ +From 57fbea87dccb6eee5c5b588c518fd4b265496016 Mon Sep 17 00:00:00 2001 +From: Jamal Hadi Salim <hadi@cyberus.ca> +Date: Mon, 22 Feb 2010 11:32:58 +0000 +Subject: [PATCH 5/7] xfrm: SP lookups with mark + +Allow mark to be used when doing SP lookup + +Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/xfrm/xfrm_policy.c | 12 +++++++++++- + 1 files changed, 11 insertions(+), 1 deletions(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 8376d55..3de990f 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -556,6 +556,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) + struct hlist_head *chain; + struct hlist_node *entry, *newpos; + struct dst_entry *gc_list; ++ u32 mark = policy->mark.v & policy->mark.m; + + write_lock_bh(&xfrm_policy_lock); + chain = policy_hash_bysel(net, &policy->selector, policy->family, dir); +@@ -564,6 +565,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) + hlist_for_each_entry(pol, entry, chain, bydst) { + if (pol->type == policy->type && + !selector_cmp(&pol->selector, &policy->selector) && ++ (mark & pol->mark.m) == pol->mark.v && + xfrm_sec_ctx_match(pol->security, policy->security) && + !WARN_ON(delpol)) { + if (excl) { +@@ -650,6 +652,7 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u8 type, + ret = NULL; + hlist_for_each_entry(pol, entry, chain, bydst) { + if (pol->type == type && ++ (mark & pol->mark.m) == pol->mark.v && + !selector_cmp(sel, &pol->selector) && + xfrm_sec_ctx_match(ctx, pol->security)) { + xfrm_pol_hold(pol); +@@ -692,7 +695,8 @@ struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8 type, + chain = net->xfrm.policy_byidx + idx_hash(net, id); + ret = NULL; + hlist_for_each_entry(pol, entry, chain, byidx) { +- if (pol->type == type && pol->index == id) { ++ if (pol->type == type && pol->index == id && ++ (mark & pol->mark.m) == pol->mark.v) { + xfrm_pol_hold(pol); + if (delete) { + *err = security_xfrm_policy_delete( +@@ -909,6 +913,7 @@ static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl, + int match, ret = -ESRCH; + + if (pol->family != family || ++ (fl->mark & pol->mark.m) != pol->mark.v || + pol->type != type) + return ret; + +@@ -1033,6 +1038,10 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struc + int err = 0; + + if (match) { ++ if ((sk->sk_mark & pol->mark.m) != pol->mark.v) { ++ pol = NULL; ++ goto out; ++ } + err = security_xfrm_policy_lookup(pol->security, + fl->secid, + policy_to_flow_dir(dir)); +@@ -1045,6 +1054,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struc + } else + pol = NULL; + } ++out: + read_unlock_bh(&xfrm_policy_lock); + return pol; + } +-- +1.6.3.3 + |