| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1973541.1ksEzzDSut@sifl>
Date: Fri, 26 Jul 2013 14:09:50 -0400
From: Paul Moore <paul@...l-moore.com>
To: Fan Du <fan.du@...driver.com>
Cc: nicolas.dichtel@...nd.com,
Hannes Frederic Sowa <hannes@...essinduktion.org>,
davem@...emloft.net, yoshfuji@...ux-ipv6.org, jmorris@...ei.org,
steffen.klassert@...unet.com, netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH net-next v3] net: split rt_genid for ipv4 and ipv6
On Friday, July 26, 2013 01:49:35 PM Fan Du wrote:
> I take a look at SELINUX xfrm part, my limited understanding SELINUX XFRM
> rule should take global effect on all net name space in current
> implementation.
Yes, a SELinux policy load needs to bump the cache ID as the new SELinux
policy could have an affect on the IPsec state (SELinux label associated with
the SAs and SPD rules).
> diff --git a/security/selinux/include/xfrm.h
> b/security/selinux/include/xfrm.h index 65f67cb..4f72d2c 100644
> --- a/security/selinux/include/xfrm.h
> +++ b/security/selinux/include/xfrm.h
> @@ -50,8 +50,14 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32
> *sid, int ckall);
>
> static inline void selinux_xfrm_notify_policyload(void)
> {
> + struct net *net;
> +
> atomic_inc(&flow_cache_genid);
> - rt_genid_bump(&init_net);
> + rtnl_lock();
> + for_each_net(net) {
> + rt_genid_bump_all(net);
> + }
> + rtnl_unlock();
> }
> #else
> static inline int selinux_xfrm_enabled(void)
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists