On Thursday, May 23, 2013 11:29:58 PM Sergei Shtylyov wrote:
> Hello.
>
> On 05/23/2013 11:07 PM, Paul Moore wrote:
> > In some cases after deleting a policy from the SPD the policy would
> > remain in the dst/flow/route cache for an extended period of time
> > which caused problems for SELinux as its dynamic network access
> > controls key off of the number of XFRM policy and state entries.
> > This patch corrects this problem by forcing a XFRM garbage collection
> > whenever a policy is sucessfully removed.
> >
> > Reported-by: Ondrej Moris <omoris@xxxxxxxxxx>
> > Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
> > ---
> >
> > include/net/xfrm.h | 6 ++++++
> > net/key/af_key.c | 4 ++++
> > net/xfrm/xfrm_policy.c | 3 ++-
> > net/xfrm/xfrm_user.c | 2 ++
> > 4 files changed, 14 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/net/xfrm.h b/include/net/xfrm.h
> > index ae16531..918e4cd 100644
> > --- a/include/net/xfrm.h
> > +++ b/include/net/xfrm.h
>
> [...]
>
> > @@ -1194,6 +1196,10 @@ static inline int xfrm6_policy_check_reverse(struct
> > sock *sk, int dir,>
> > {
> >
> > return 1;
> >
> > }
> >
> > +static inline void xfrm_garbage_collect(struct net *net)
> > +{
> > + return;
>
> Not needed.
>
> > +}
True, I added it for the sake of completeness, but I'll go ahead and remove
it.
--
paul moore
security and virtualization @ redhat
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
