+static int selinux_skb_policy_check(struct sk_buff *skb,
unsigned short
family) +{
+ u32 xfrm_sid, trans_sid;
+ int err;
+
+ if (selinux_compat_net)
+ return 1;
+
+ err = selinux_xfrm_decode_session(skb, xfrm_sid, 0);
+ BUG_ON(err);
First, any reason
Venkat Yekkirala wrote:
+static int selinux_skb_policy_check(struct sk_buff *skb,
unsigned short
family) +{
+u32 xfrm_sid, trans_sid;
+int err;
+
+if (selinux_compat_net)
+return 1;
+
+err = selinux_xfrm_decode_session(skb, xfrm_sid, 0);
+BUG_ON(err);
First, any
On Fri, 8 Sep 2006, Venkat Yekkirala wrote:
+ if (selinux_compat_net) {
+ err = selinux_xfrm_decode_session(skb, peersid, 0);
+ BUG_ON(err);
I'm pretty sure this should not be a BUG_ON. IIUC, you want to panic the
kernel because one of the nested SAs has a
On Fri, 8 Sep 2006, Venkat Yekkirala wrote:
This defines SELinux enforcement of the 2 new LSM hooks.
I think this looks ok in general (I have a couple more technical issues),
athough I believe that Stephen has some question about policy
construction.
Please rename these hooks:
+ *
On Fri, 8 Sep 2006, Venkat Yekkirala wrote:
+ if (selinux_compat_net) {
+ err = selinux_xfrm_decode_session(skb, peersid, 0);
+ BUG_ON(err);
I'm pretty sure this should not be a BUG_ON. IIUC, you want
to panic the
kernel because one of the nested SAs has a
On Friday 08 September 2006 12:50 pm, Venkat Yekkirala wrote:
This defines SELinux enforcement of the 2 new LSM hooks.
{snip}
+static int selinux_skb_policy_check(struct sk_buff *skb, unsigned short
family) +{
+ u32 xfrm_sid, trans_sid;
+ int err;
+
+ if (selinux_compat_net)
