Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

On Thu, Nov 2, 2017 at 8:58 AM, Stephen Smalley wrote: > On Wed, 2017-11-01 at 17:39 -0400, Paul Moore wrote: >> On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal >> wrote: >> > Paul Moore wrote: >> > > On Mon, Oct 30, 2017 at 10:58 AM,

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

On Wed, 2017-11-01 at 17:39 -0400, Paul Moore wrote: > On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal > wrote: > > Paul Moore wrote: > > > On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley > > gov> wrote: > > > > matching before (as in

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal wrote: > Paul Moore wrote: >> On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley wrote: >> > matching before (as in this patch) or after calling xfrm_bundle_ok()? >> >> I would probably

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

On Wed, 2017-11-01 at 00:08 +0100, Florian Westphal wrote: > Paul Moore wrote: > > On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley > v> wrote: > > > matching before (as in this patch) or after calling > > > xfrm_bundle_ok()? > > > > I would probably

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

Paul Moore wrote: > On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley wrote: > > matching before (as in this patch) or after calling xfrm_bundle_ok()? > > I would probably make the LSM call the last check, as you've done; but > I have to say that is just

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley wrote: > Since 4.14-rc1, the selinux-testsuite has been encountering sporadic > failures during testing of labeled IPSEC. git bisect pointed to > commit ec30d78c14a813db39a647b6a348b4286 ("xfrm: add xdst pcpu cache"). > The

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

Stephen Smalley wrote: > It is a regression; the correct SA was being used prior to the xdst > pcpu cache commit. I don't doubt that at all. I would like to understand why the flow cache did not have this problem. > easily run on a Fedora VM, > git clone

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

On Tue, 2017-10-31 at 09:43 -0400, Stephen Smalley wrote: > On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote: > > Stephen Smalley wrote: > > > Since 4.14-rc1, the selinux-testsuite has been encountering > > > sporadic > > > failures during testing of labeled IPSEC.

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote: > Stephen Smalley wrote: > > Since 4.14-rc1, the selinux-testsuite has been encountering > > sporadic > > failures during testing of labeled IPSEC. git bisect pointed to > > commit ec30d78c14a813db39a647b6a348b4286

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

Stephen Smalley wrote: > Since 4.14-rc1, the selinux-testsuite has been encountering sporadic > failures during testing of labeled IPSEC. git bisect pointed to > commit ec30d78c14a813db39a647b6a348b4286 ("xfrm: add xdst pcpu cache"). > The xdst pcpu cache is only checking that

[RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

Since 4.14-rc1, the selinux-testsuite has been encountering sporadic failures during testing of labeled IPSEC. git bisect pointed to commit ec30d78c14a813db39a647b6a348b4286 ("xfrm: add xdst pcpu cache"). The xdst pcpu cache is only checking that the policies are the same, but does not validate

[RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

commit ec30d78c14a813db39a647b6a348b4286 ("xfrm: add xdst pcpu cache") introduced a regression in the use of labeled IPSEC. The cache was only checking that the policies are the same, but did not validate that the policy, state, and flow matched with respect to security context labeling. As a