[SELINUX]: increment flow cache genid

Currently, old flow cache entries remain valid even after a reload of SELinux policy. This patch increments the flow cache generation id on policy (re)loads so that flow cache entries are revalidated as needed. Thanks to Herbet Xu for pointing this out. See: http://marc.theaimsgroup.com/?l=linux-netdev&m=116841378704536&w=2 There's also a general issue as well as a solution proposed by David Miller for when flow_cache_genid wraps. I might be submitting a separate patch for that later. I request that this be applied to 2.6.20 since it's a security relevant fix. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
amtssp · Jan 24, 2007 · 334c855 · 334c855
1 parent d88ae4c
commit 334c855
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
@@ -1299,6 +1299,7 @@ int security_load_policy(void *data, size_t len)
 		avc_ss_reset(seqno);
 		selnl_notify_policyload(seqno);
 		selinux_netlbl_cache_invalidate();
+		atomic_inc(&flow_cache_genid);
 		return 0;
 	}
 
@@ -1354,6 +1355,7 @@ int security_load_policy(void *data, size_t len)
 	avc_ss_reset(seqno);
 	selnl_notify_policyload(seqno);
 	selinux_netlbl_cache_invalidate();
+	atomic_inc(&flow_cache_genid);
 
 	return 0;
 
@@ -1853,6 +1855,7 @@ int security_set_bools(int len, int *values)
 	if (!rc) {
 		avc_ss_reset(seqno);
 		selnl_notify_policyload(seqno);
+		atomic_inc(&flow_cache_genid);
 	}
 	return rc;
 }