summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@TrustedCS.com>2007-01-15 16:38:45 -0800
committerDavid S. Miller <davem@sunset.davemloft.net>2007-01-23 20:25:41 -0800
commit334c85569b8adeaa820c0f2fab3c8f0a9dc8b92e (patch)
treea813e11fc4168e8eb2597364b7d809cd981859ac
parentd88ae4cc97b24783ee4480697fbdcc02ab4133a6 (diff)
downloadlinux-334c85569b8adeaa820c0f2fab3c8f0a9dc8b92e.tar.bz2
[SELINUX]: increment flow cache genid
Currently, old flow cache entries remain valid even after a reload of SELinux policy. This patch increments the flow cache generation id on policy (re)loads so that flow cache entries are revalidated as needed. Thanks to Herbet Xu for pointing this out. See: http://marc.theaimsgroup.com/?l=linux-netdev&m=116841378704536&w=2 There's also a general issue as well as a solution proposed by David Miller for when flow_cache_genid wraps. I might be submitting a separate patch for that later. I request that this be applied to 2.6.20 since it's a security relevant fix. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--security/selinux/ss/services.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 3eb1fa9f0de1..ff0393317f39 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1299,6 +1299,7 @@ int security_load_policy(void *data, size_t len)
avc_ss_reset(seqno);
selnl_notify_policyload(seqno);
selinux_netlbl_cache_invalidate();
+ atomic_inc(&flow_cache_genid);
return 0;
}
@@ -1354,6 +1355,7 @@ int security_load_policy(void *data, size_t len)
avc_ss_reset(seqno);
selnl_notify_policyload(seqno);
selinux_netlbl_cache_invalidate();
+ atomic_inc(&flow_cache_genid);
return 0;
@@ -1853,6 +1855,7 @@ out:
if (!rc) {
avc_ss_reset(seqno);
selnl_notify_policyload(seqno);
+ atomic_inc(&flow_cache_genid);
}
return rc;
}