Message ID | 51F20DEF.2090108@windriver.com |
---|---|
State | Superseded, archived |
Delegated to: | David Miller |
Headers | show |
On Fri, Jul 26, 2013 at 01:49:35PM +0800, Fan Du wrote: > diff --git a/security/selinux/include/xfrm.h > b/security/selinux/include/xfrm.h > index 65f67cb..4f72d2c 100644 > --- a/security/selinux/include/xfrm.h > +++ b/security/selinux/include/xfrm.h > @@ -50,8 +50,14 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 > *sid, int ckall); > > static inline void selinux_xfrm_notify_policyload(void) > { > + struct net *net; > + > atomic_inc(&flow_cache_genid); > - rt_genid_bump(&init_net); > + rtnl_lock(); > + for_each_net(net) { > + rt_genid_bump_all(net); > + } > + rtnl_unlock(); > } > #else > static inline int selinux_xfrm_enabled(void) > > > Let me know if I miss something inside it. Thanks. I do think it is the correct change. The locking seems correct, too. I will excercise the code with lockdep as soon as you publish a new patch. Greetings, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Friday, July 26, 2013 01:49:35 PM Fan Du wrote: > I take a look at SELINUX xfrm part, my limited understanding SELINUX XFRM > rule should take global effect on all net name space in current > implementation. Yes, a SELinux policy load needs to bump the cache ID as the new SELinux policy could have an affect on the IPsec state (SELinux label associated with the SAs and SPD rules). > diff --git a/security/selinux/include/xfrm.h > b/security/selinux/include/xfrm.h index 65f67cb..4f72d2c 100644 > --- a/security/selinux/include/xfrm.h > +++ b/security/selinux/include/xfrm.h > @@ -50,8 +50,14 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 > *sid, int ckall); > > static inline void selinux_xfrm_notify_policyload(void) > { > + struct net *net; > + > atomic_inc(&flow_cache_genid); > - rt_genid_bump(&init_net); > + rtnl_lock(); > + for_each_net(net) { > + rt_genid_bump_all(net); > + } > + rtnl_unlock(); > } > #else > static inline int selinux_xfrm_enabled(void)
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 65f67cb..4f72d2c 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h @@ -50,8 +50,14 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); static inline void selinux_xfrm_notify_policyload(void) { + struct net *net; + atomic_inc(&flow_cache_genid); - rt_genid_bump(&init_net); + rtnl_lock(); + for_each_net(net) { + rt_genid_bump_all(net); + } + rtnl_unlock(); } #else static inline int selinux_xfrm_enabled(void)