On Wed, Nov 28, 2018 at 1:44 PM Paul Moore wrote:
> Commit 32a4f5ecd738 ("net: sched: introduce chain object to uapi")
> added new RTM_* definitions without properly updating SELinux, this
> patch adds the necessary SELinux support.
>
> While there was a BUILD_BUG
the broken commit. In order to
hopefully prevent this from happening in the future, add additional
comments which provide some instructions on how to resolve the
BUILD_BUG_ON() failures.
Fixes: 32a4f5ecd738 ("net: sched: introduce chain object to uapi")
Cc: # 4.19
Signed-off-by: Paul
ed, 7 insertions(+), 4 deletions(-)
See my previous comments about the necessity of this patch, but beyond
that it looks fine to me.
Acked-by: Paul Moore
> diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
> index 82178cc69c96..777fa3b7fb13 100644
> --- a/net/ipv4/cipso_i
optptr[0]) {
case IPOPT_END:
return NULL;
case IPOPT_NOOP:
taglen = 1;
default:
taglen = optptr[1];
}
if (taglen == 0 || taglen > optlen)
return NULL;
if (optptr[0] == IPOPT_CIPSO)
return optptr;
}
> optlen -= taglen;
> optptr += taglen;
> }
--
paul moore
www.paul-moore.com
From: Paul Moore
At present the ipv6_renew_options_kern() function ends up calling into
access_ok() which is problematic if done from inside an interrupt as
access_ok() calls WARN_ON_IN_IRQ() on some (all?) architectures
(x86-64 is affected). Example warning/backtrace is shown below:
WARNING
w_option() and have it
> do this pointer dance instead?
>
> That's going to definitely be easier to read.
I agree, that struck me as a little odd. I'll rework that too. I'll
send you guys something this week to take a look at.
Thanks.
> I don't know enough about this code to give feed
On Tue, May 22, 2018 at 1:35 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2018-05-21 16:06, Paul Moore wrote:
>> On Mon, May 21, 2018 at 3:19 PM, Eric W. Biederman <ebied...@xmission.com>
>> wrote:
>> > Steve Grubb <sgr...@redhat.com> writes:
>
* call it
the *audit* container ID? that is not an accident) available for
userspace applications to abuse. Perhaps in the future we can look at
ways to make this more available to applications, but this patch is
not the answer.
--
paul moore
www.paul-moore.com
audit_kill_trees(>killed_trees);
>
> @@ -2071,8 +2104,8 @@ int audit_set_loginuid(kuid_t loginuid)
> sessionid = (unsigned
> int)atomic_inc_return(_id);
> }
>
> - task->sessionid = sessionid;
> - task->loginuid = loginuid;
> + task->audit->sessionid = sessionid;
> + task->audit->loginuid = loginuid;
> out:
> audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid,
> sessionid, rc);
> return rc;
> diff --git a/kernel/fork.c b/kernel/fork.c
> index cd18448..92ab849 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -1713,7 +1713,7 @@ static __latent_entropy struct task_struct
> *copy_process(
> p->start_time = ktime_get_ns();
> p->real_start_time = ktime_get_boot_ns();
> p->io_context = NULL;
> - audit_set_context(p, NULL);
> + p->audit = NULL;
> cgroup_fork(p);
> #ifdef CONFIG_NUMA
> p->mempolicy = mpol_dup(p->mempolicy);
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
audit_log_start(current->audit_context, GFP_KERNEL,
> + ab = audit_log_start(audit_context(), GFP_KERNEL,
> AUDIT_CONFIG_CHANGE);
> if (unlikely(!ab))
> return;
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
_uid(t);
>
> if (auditd_test_task(t) &&
> (sig == SIGTERM || sig == SIGHUP ||
> sig == SIGUSR1 || sig == SIGUSR2)) {
> audit_sig_pid = task_tgid_nr(current);
> - if (uid_valid(current->loginuid))
> - audit_sig_uid = current->loginuid;
> + auid = audit_get_loginuid(current);
> + if (uid_valid(auid))
> + audit_sig_uid = auid;
> else
> audit_sig_uid = uid;
> security_task_getsecid(current, _sig_sid);
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
*tsk,
> int return_valid,
> long return_code)
> {
> - struct audit_context *context = tsk->audit_context;
> + struct audit_context *context = tsk->audit.ctx;
>
> if (!context)
> return NULL;
> @@ -2066,8 +2066,8 @@ int audit_set_loginuid(kuid_t loginuid)
> sessionid = (unsigned
> int)atomic_inc_return(_id);
> }
>
> - task->sessionid = sessionid;
> - task->loginuid = loginuid;
> + task->audit.sessionid = sessionid;
> + task->audit.loginuid = loginuid;
> out:
> audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid,
> sessionid, rc);
> return rc;
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
>
> Signed-off-by: Richard Guy Briggs <r...@redhat.com>
> ---
> include/linux/audit.h | 6 ++
> kernel/auditsc.c | 7 +++
> kernel/fork.c | 2 +-
> 3 files changed, 10 insertions(+), 5 deletions(-)
Merged with some minor fuzz.
--
paul moore
www.paul-moore.com
| 12 +++
> 15 files changed, 64 insertions(+), 60 deletions(-)
Merged, but there was some fuzz due to the missing 1/5 patch and a
handfull of checkpatch.pl fixes. Please take a look at the commit in
the audit/next branch and if anything looks awry please send a patch
to fix it.
--
paul moore
www.paul-moore.com
ng or clearing? */
> if (uid_valid(loginuid)) {
> sessionid = (unsigned int)atomic_inc_return(_id);
> - if (unlikely(sessionid == (unsigned int)-1))
> + if (unlikely(sessionid == AUDIT_SID_UNSET))
> sessionid = (unsigned
> int)atomic_inc_return(_id);
> }
>
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
uid = uid;
> security_task_getsecid(tsk, _sig_sid);
A gentle reminder that you should try to make you patches as
"checkpatch clean" as possible (see scripts/checkpatch.pl). There are
several 80-char warnings, which aren't fatal, but the big no-no is
below:
ERROR: do not use assignment in if condition
#72: FILE: kernel/auditsc.c:2290:
+ if (uid_valid(auid = audit_get_loginuid(tsk)))
... while I don't completely agree with everything checkpatch has to
say, I definitely agree with checkpatch when it comes to assignments
in if conditions.
--
paul moore
www.paul-moore.com
ons(-)
All three patches looked good to me. I've merged them into
selinux/stable-4.17 and assuming nothing breaks in the next day or two
I'll send it up to Linus mid-week.
Thanks everyone!
--
paul moore
www.paul-moore.com
On Thu, May 10, 2018 at 5:28 AM, Alexey Kodanev
<alexey.koda...@oracle.com> wrote:
> On 10.05.2018 01:02, Paul Moore wrote:
> ...
>> I just had a better look at this and I believe that Alexey and Stephen
>> are right: this is the best option. My apologies for the noise
>
On Wed, May 9, 2018 at 11:34 AM, Paul Moore <p...@paul-moore.com> wrote:
> On Wed, May 9, 2018 at 11:11 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> On 05/09/2018 11:01 AM, Paul Moore wrote:
>>> On Wed, May 9, 2018 at 8:37 AM, Stephen Smalley <s...@tycho.nsa.
+-
> security/integrity/integrity_audit.c | 2 +-
> security/lsm_audit.c | 2 +-
> security/selinux/hooks.c | 4 +-
> security/selinux/selinuxfs.c | 6 +--
> security/selinux/ss/services.c | 12 +++---
> 21 files changed, 129 insertions(+), 79 deletions(-)
> create mode 100644 include/linux/audit_task.h
>
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
SID_UNSET,
> + .ctx= NULL,
> + },
> #endif
> #ifdef CONFIG_PERF_EVENTS
> .perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex),
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index f294e4a..b5d8bff 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2068,8 +2068,8 @@ int audit_set_loginuid(kuid_t loginuid)
> sessionid = (unsigned
> int)atomic_inc_return(_id);
> }
>
> - task->sessionid = sessionid;
> - task->loginuid = loginuid;
> + task->audit.sessionid = sessionid;
> + task->audit.loginuid = loginuid;
> out:
> audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid,
> sessionid, rc);
> return rc;
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
On Wed, May 9, 2018 at 11:11 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 05/09/2018 11:01 AM, Paul Moore wrote:
>> On Wed, May 9, 2018 at 8:37 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>>> On 05/08/2018 08:25 PM, Paul Moore wrote:
>>>> On Tu
LL;
> @@ -1510,7 +1510,7 @@ void __audit_syscall_entry(int major, unsigned long a1,
> unsigned long a2,
>unsigned long a3, unsigned long a4)
> {
> struct task_struct *tsk = current;
> - struct audit_context *context = tsk->audit_context;
> + struct audit_context *context = audit_context(tsk);
> enum audit_state state;
>
> if (!audit_enabled || !context)
--
paul moore
www.paul-moore.com
if (unlikely(sessionid == (unsigned int)-1))
>> + if (unlikely(sessionid == AUDIT_SID_UNSET))
>> sessionid = (unsigned
>> int)atomic_inc_return(_id);
>> }
>>
>> --
>> 1.8.3.1
>>
>> --
>> Linux-audit mailing list
>> linux-au...@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>
> - RGB
>
> --
> Richard Guy Briggs <r...@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Linux-audit mailing list
> linux-au...@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
t away loginuid accesses (which I think
is good), we should probably access it once, store it in a local
variable, perform the validity check on the local variable, then
commit the local variable to audit_sig_uid. I realize a TOCTOU
problem is unlikely here, but with this new layer of abstraction it
seems that some additional safety might be a good thing.
> else
> audit_sig_uid = uid;
> security_task_getsecid(tsk, _sig_sid);
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
On Wed, May 9, 2018 at 8:37 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 05/08/2018 08:25 PM, Paul Moore wrote:
>> On Tue, May 8, 2018 at 2:40 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>>> On 05/08/2018 01:05 PM, Paul Moore wrote:
>>>> On Tu
On Tue, May 8, 2018 at 2:40 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 05/08/2018 01:05 PM, Paul Moore wrote:
>> On Tue, May 8, 2018 at 10:05 AM, Alexey Kodanev
>> <alexey.koda...@oracle.com> wrote:
>>> Commit d452930fd3b9 ("selinux
et->v4info.saddr = addr4->sin_addr.s_addr;
> - else
> + if (address->sa_family == AF_INET6)
> ad.u.net->v6info.saddr = addr6->sin6_addr;
> + else
> + ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
>
> err = avc_has_perm(_state,
>sksec->sid, sid,
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
On Tue, Apr 24, 2018 at 8:40 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2018-04-24 15:01, Paul Moore wrote:
>> On Mon, Apr 23, 2018 at 10:02 PM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > On 2018-04-23 19:15, Paul Moore wrote:
>> >> On
uld move the hook out of the AF_UNIX layer and up into the socket
layer.
--
paul moore
www.paul-moore.com
On Mon, Apr 23, 2018 at 10:02 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2018-04-23 19:15, Paul Moore wrote:
>> On Sat, Apr 21, 2018 at 10:34 AM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > On 2018-04-18 19:47, Paul Moore wrote:
>> >> On
On Tue, Apr 24, 2018 at 1:56 PM, David Miller <da...@davemloft.net> wrote:
> From: Paul Moore <p...@paul-moore.com>
> Date: Tue, 24 Apr 2018 13:55:31 -0400
>
>> On Mon, Apr 23, 2018 at 9:30 AM, David Herrmann <dh.herrm...@gmail.com>
>> wrote:
>>> Us
I would prefer to see the hook placed in __sys_socketpair()
instead (and obviously drop the "unix_stream" portion from the hook
name).
> /* Join our sockets back to back */
> sock_hold(ska);
> --
> 2.17.0
--
paul moore
www.paul-moore.com
On Sat, Apr 21, 2018 at 10:34 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2018-04-18 19:47, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > Implement the proc fs write to set the audit container
On April 20, 2018 4:48:34 PM Richard Guy Briggs <r...@redhat.com> wrote:
On 2018-04-20 16:22, Paul Moore wrote:
On Fri, Apr 20, 2018 at 4:02 PM, Richard Guy Briggs <r...@redhat.com> wrote:
On 2018-04-18 21:46, Paul Moore wrote:
On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs <
On Fri, Apr 20, 2018 at 4:02 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2018-04-18 21:46, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > Audit events could happen in a network namespace outside of a ta
On Thu, Apr 19, 2018 at 9:23 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2018-04-18 20:39, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > Standalone audit records have the timestamp and serial nu
On Thu, Apr 19, 2018 at 9:03 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2018-04-18 20:32, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs <r...@redhat.com> wrote:
...
>> > /*
>> > * audit_log_container_info - re
On Thu, Apr 19, 2018 at 8:42 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2018-04-18 21:31, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > Add container ID auxiliary records to secure computing and abnorm
On Thu, Apr 19, 2018 at 8:45 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2018-04-18 22:10, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > Add container ID auxiliary record(s) to NETFILTER_PKT event sta
On Thu, Apr 19, 2018 at 8:31 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2018-04-18 21:27, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > Add container ID auxiliary records to configuration ch
sprintf(buf, "net%u", i++);
> + audit_log_container_info(context, buf, cont->id);
> + }
It seems like this could (should?) be hidden inside an audit function,
e.g. audit_log_net_containers() or something like that.
> errout:
> + audit_free_context(context);
> return XT_CONTINUE;
> }
--
paul moore
www.paul-moore.com
u64 containerid = audit_get_containerid(p);
>
> might_sleep();
>
> @@ -224,6 +227,9 @@ void switch_task_namespaces(struct task_struct *p, struct
> nsproxy *new)
> ns = p->nsproxy;
> p->nsproxy = new;
> task_unlock(p);
> + net_del_audit_containerid(ns->net_ns, containerid);
> + if (new)
> + net_add_audit_containerid(new->net_ns, containerid);
Okay, we might need a hook here for switching namespaces, but I would
much rather it be a generic audit hook that calls directly into audit.
--
paul moore
www.paul-moore.com
code)
> signr, syscall_get_arch(), syscall,
> in_compat_syscall(), KSTK_EIP(current), code);
> audit_log_end(ab);
> + audit_log_container_info(context, "seccomp",
> audit_get_containerid(current));
> + audit_free_context(context);
> }
>
> struct list_head *audit_killed_trees(void)
--
paul moore
www.paul-moore.com
gt; return;
Well, first I think we should be able to get rid of the local context,
but if for some reason we can't use current->audit_context then do the
allocation after the audit_enabled check.
> - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> if (!ab)
> return;
> audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
> @@ -1122,6 +1123,8 @@ static void audit_log_rule_change(char *action, struct
> audit_krule *rule, int re
> audit_log_key(ab, rule->filterkey);
> audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
> audit_log_end(ab);
> + audit_log_container_info(context, "config",
> audit_get_containerid(current));
> + audit_free_context(context);
> }
--
paul moore
www.paul-moore.com
On Wed, Apr 18, 2018 at 8:41 PM, Casey Schaufler <ca...@schaufler-ca.com> wrote:
> On 4/18/2018 4:47 PM, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs <r...@redhat.com> wrote:
>>> Implement the proc fs write to set the audit container
from_kuid(_user_ns,
> audit_get_loginuid(current)),
> +audit_get_sessionid(current), op);
> + audit_log_format(ab, " path=");
> + audit_log_untrustedstring(ab, w->path);
> + audit_log_key(ab, r->filterkey);
> + audit_log_format(ab, " list=%d res=1", r->listnr);
> + audit_log_end(ab);
> + audit_log_container_info(context, "config",
> audit_get_containerid(current));
> + audit_free_context(context);
> }
--
paul moore
www.paul-moore.com
return;
> audit_free_names(context);
> unroll_tree_refs(context, NULL, 0);
> free_tree_refs(context);
I'm reserving the option to comment on this idea further as I make my
way through the patchset, but audit_free_context() definitely
shouldn't be declared as an inline function.
--
paul moore
www.paul-moore.com
ntext->target_pid,
> context->target_auid, context->target_uid,
> context->target_sessionid,
> - context->target_sid, context->target_comm))
> + context->target_sid, context->target_comm)
> + && audit_log_container_info(context, "target",
> context->target_cid))
Same question.
> call_panic = 1;
>
> if (context->pwd.dentry && context->pwd.mnt) {
--
paul moore
www.paul-moore.com
gt;op,
> f->val);
> break;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 65be110..2bba324 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -614,6 +614,9 @@ static int audit_filter_rules(struct task_struct *tsk,
> case AUDIT_LOGINUID_SET:
> result = audit_comparator(audit_loginuid_set(tsk),
> f->op, f->val);
> break;
> + case AUDIT_CONTAINERID:
> + result =
> audit_comparator64(audit_get_containerid(tsk), f->op, f->val64);
> + break;
> case AUDIT_SUBJ_USER:
> case AUDIT_SUBJ_ROLE:
> case AUDIT_SUBJ_TYPE:
> --
> 1.8.3.1
>
> --
> Linux-audit mailing list
> linux-au...@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
y(task)))
> + return -EPERM;
> /* if containerid is unset, allow */
> if (!audit_containerid_set(task))
> return 0;
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
nerid,
> !rc);
> +
> + audit_put_tty(tty);
> + audit_log_end(ab);
> +}
> +
> +/**
> + * audit_set_containerid - set current task's audit_context containerid
> + * @containerid: containerid value
> + *
> + * Returns 0 on success, -EPERM on permission failure.
> + *
> + * Called (set) from fs/proc/base.c::proc_containerid_write().
> + */
> +int audit_set_containerid(struct task_struct *task, u64 containerid)
> +{
> + u64 oldcontainerid;
> + int rc;
> +
> + oldcontainerid = audit_get_containerid(task);
> +
> + rc = audit_set_containerid_perm(task, containerid);
> + if (!rc) {
> + task_lock(task);
> + task->containerid = containerid;
> + task_unlock(task);
> + }
> +
> + audit_log_set_containerid(task, oldcontainerid, containerid, rc);
> + return rc;
Why are audit_set_containerid_perm() and audit_log_containerid()
separate functions?
--
paul moore
www.paul-moore.com
err = -EISCONN;
> + else
> + err = -EALREADY;
> + goto free;
> }
>
> - /* If the SCTP_INIT ancillary data is specified, set all
> - * the association init values accordingly.
> - */
> - if (sinit) {
> - if (sinit->sinit_num_ostreams) {
> - __u16 outcnt = sinit->sinit_num_ostreams;
> -
> - asoc->c.sinit_num_ostreams = outcnt;
> - /* outcnt has been changed, so re-init stream
> */
> - err = sctp_stream_init(>stream, outcnt,
> 0,
> - GFP_KERNEL);
> - if (err)
> - goto out_free;
> - }
> - if (sinit->sinit_max_instreams) {
> - asoc->c.sinit_max_instreams =
> - sinit->sinit_max_instreams;
> - }
> - if (sinit->sinit_max_attempts) {
> - asoc->max_init_attempts
> - = sinit->sinit_max_attempts;
> - }
> - if (sinit->sinit_max_init_timeo) {
> - asoc->max_init_timeo =
> -
> msecs_to_jiffies(sinit->sinit_max_init_timeo);
> - }
> + if (sctp_endpoint_is_peeled_off(ep, daddr)) {
> + err = -EADDRNOTAVAIL;
> + goto free;
> }
>
> - /* Prime the peer's transport structures. */
> - transport = sctp_assoc_add_peer(asoc, , GFP_KERNEL,
> SCTP_UNKNOWN);
> + transport = sctp_assoc_add_peer(asoc, daddr, GFP_KERNEL,
> + SCTP_UNKNOWN);
> if (!transport) {
> err = -ENOMEM;
> - goto out_free;
> + goto free;
> }
> }
>
--
paul moore
www.paul-moore.com
On Wed, Mar 7, 2018 at 3:26 PM, David Miller <da...@davemloft.net> wrote:
> From: Paul Moore <p...@paul-moore.com>
> Date: Wed, 7 Mar 2018 15:20:33 -0500
>
>>> So you would only have to wait until my tree went in before
>>> sending your pull request.
>&
On Wed, Mar 7, 2018 at 12:45 PM, David Miller <da...@davemloft.net> wrote:
> From: Paul Moore <p...@paul-moore.com>
> Date: Wed, 7 Mar 2018 12:27:52 -0500
>
>> I'm not sure we could have cleanly separated the core network stack
>> changes from the rest of the SE
On Wed, Mar 7, 2018 at 11:41 AM, David Miller <da...@davemloft.net> wrote:
> From: Paul Moore <p...@paul-moore.com>
> Date: Wed, 7 Mar 2018 11:34:31 -0500
>> On Mon, Mar 5, 2018 at 2:03 AM, Xin Long <lucien@gmail.com> wrote:
>>> On Mon, Mar
guess it might not yet be there when selinux tree was
> being submitted.
The selinux/next branch is based on v4.16-rc1 and doesn't feed into
the netdev tree, it goes straight to Linus during the merge window so
unfortunately I think we may need to carry this for some time and
relay this fix-up patch up to Linus during the merge window.
--
paul moore
www.paul-moore.com
On Tue, Mar 6, 2018 at 6:59 PM, Stephen Hemminger
<step...@networkplumber.org> wrote:
> On Tue, 06 Mar 2018 17:27:44 -0500
> Paul Moore <pmo...@redhat.com> wrote:
>> From: Paul Moore <p...@paul-moore.com>
>>
>> Starting with v4.16-rc1 we've been seeing
On Tue, Mar 6, 2018 at 5:27 PM, Paul Moore <pmo...@redhat.com> wrote:
> From: Paul Moore <p...@paul-moore.com>
>
> Starting with v4.16-rc1 we've been seeing a higher than usual number
> of requests for the kernel to load networking modules, even on events
> which shou
From: Paul Moore <p...@paul-moore.com>
Starting with v4.16-rc1 we've been seeing a higher than usual number
of requests for the kernel to load networking modules, even on events
which shouldn't trigger a module load (e.g. ioctl(TCGETS)). Stephen
Smalley suggested the problem may lie in
ly prefer
audit_containerid_isset().
>> +{
>> + return audit_get_containerid(tsk) != INVALID_CID;
>> +}
--
paul moore
www.paul-moore.com
return -EINVAL;
> snum = ntohs(addr6->sin6_port);
> + break;
> + default:
> + /* Note that SCTP services expect -EINVAL, whereas
> +* others expect -EAFNOSUPPORT.
> +*/
> + if (sksec->sclass == SECCLASS_SCTP_SOCKET)
> + return -EINVAL;
> + else
> + return -EAFNOSUPPORT;
> }
>
> err = sel_netport_sid(sk->sk_protocol, snum, );
> --
> 2.14.3
>
--
paul moore
www.paul-moore.com
On Fri, Mar 2, 2018 at 2:25 PM, Paul Moore <p...@paul-moore.com> wrote:
> On Fri, Mar 2, 2018 at 1:23 PM, Matthew Wilcox <wi...@infradead.org> wrote:
>> On Fri, Mar 02, 2018 at 10:48:42AM -0500, Paul Moore wrote:
>>> On Thu, Mar 1, 2018 at 8:41 PM, Richard Guy
On Fri, Mar 2, 2018 at 1:23 PM, Matthew Wilcox <wi...@infradead.org> wrote:
> On Fri, Mar 02, 2018 at 10:48:42AM -0500, Paul Moore wrote:
>> On Thu, Mar 1, 2018 at 8:41 PM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > On 2018-03-01 14:41, Richard Guy Briggs wrote
t; parent and other tit-for-tat games to circumvent the basic checks.
FYI, I think you may have a problem with something in your outgoing
mail path; I didn't receive the original patchset you are referencing
and it doesn't appear in the mail archive either.
--
paul moore
www.paul-moore.com
On Thu, Mar 1, 2018 at 3:01 PM, Anders Roxell <anders.rox...@linaro.org> wrote:
> On 1 March 2018 at 14:42, Paul Moore <p...@paul-moore.com> wrote:
>> On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell <anders.rox...@linaro.org>
>> wrote:
>>> Hi,
>>
On March 1, 2018 9:36:37 AM Richard Haines <richard_c_hai...@btinternet.com>
wrote:
> On Thu, 2018-03-01 at 08:42 -0500, Paul Moore wrote:
>> On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell <anders.roxell@linaro.o
>> rg> wrote:
>> > Hi,
>> >
&
On Thu, Mar 1, 2018 at 9:36 AM, Richard Haines
<richard_c_hai...@btinternet.com> wrote:
> On Thu, 2018-03-01 at 08:42 -0500, Paul Moore wrote:
>> On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell <anders.roxell@linaro.o
>> rg> wrote:
>> > Hi,
>> >
&
LTP test suite and this was the only failure, or did you just run the
connect01 test? Either answer is fine, I'm just trying to understand
the scope of the regression.
Richard, are you able to look into this? If not, let me know and I'll
dig a bit deeper (I'll likely take a quick look today, but if the
failure is subtle it might require some digging).
--
paul moore
www.paul-moore.com
struct sock *sk, char
> __user *optval, unsigned
> if (val) {
> int min_len, max_len;
>
> - min_len = SCTP_DEFAULT_MINSEGMENT -
> sp->pf->af->net_header_len;
> + min_len = SCTP_DEFAULT_MINSEGMENT - af->net_header_len;
> + min_len -= af->ip_options_len(sk);
> min_len -= sizeof(struct sctphdr) +
>sizeof(struct sctp_data_chunk);
>
> @@ -3175,7 +3177,8 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char
> __user *optval, unsigned
> asoc = sctp_id2assoc(sk, params.assoc_id);
> if (asoc) {
> if (val == 0) {
> - val = asoc->pathmtu - sp->pf->af->net_header_len;
> + val = asoc->pathmtu - af->net_header_len;
> + val -= af->ip_options_len(sk);
> val -= sizeof(struct sctphdr) +
>sctp_datachk_len(>stream);
> }
> @@ -5087,9 +5090,11 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id,
> struct socket **sockp)
> sctp_copy_sock(sock->sk, sk, asoc);
>
> /* Make peeled-off sockets more like 1-1 accepted sockets.
> -* Set the daddr and initialize id to something more random
> +* Set the daddr and initialize id to something more random and also
> +* copy over any ip options.
> */
> sp->pf->to_sk_daddr(>peer.primary_addr, sk);
> + sp->pf->copy_ip_options(sk, sock->sk);
>
> /* Populate the fields of the newsk from the oldsk and migrate the
> * asoc to the newsk.
> --
> 2.14.3
>
--
paul moore
www.paul-moore.com
On Thu, Feb 22, 2018 at 9:40 PM, Marcelo Ricardo Leitner
<marcelo.leit...@gmail.com> wrote:
> On Thu, Feb 22, 2018 at 06:08:05PM -0500, Paul Moore wrote:
>> On Wed, Feb 21, 2018 at 3:45 PM, Paul Moore <p...@paul-moore.com> wrote:
>> > On February 21, 2018 9:33
On Wed, Feb 21, 2018 at 3:45 PM, Paul Moore <p...@paul-moore.com> wrote:
> On February 21, 2018 9:33:51 AM Marcelo Ricardo Leitner
> <marcelo.leit...@gmail.com> wrote:
>> On Tue, Feb 20, 2018 at 07:15:27PM +, Richard Haines wrote:
>>> Add ip option supp
is into selinux/next and I'll send a note
when it's done.
--
paul moore
www.paul-moore.com
nux=150962470215797=2
> [3] https://marc.info/?l=selinux=151198281817779=2
>
> Richard Haines (4):
> security: Add support for SCTP security hooks
> sctp: Add ip option support
> sctp: Add LSM hooks
> selinux: Add SCTP support
Marcelo, or any other SCTP folks, do the SCTP changes still look okay
to you? I'd like to merge these into the selinux/next tree by the end
of the week ...
--
paul moore
www.paul-moore.com
On Mon, Nov 13, 2017 at 5:13 PM, Paul Moore <p...@paul-moore.com> wrote:
> On Mon, Nov 13, 2017 at 3:54 PM, Richard Haines
> <richard_c_hai...@btinternet.com> wrote:
>> When resolving a fallback label, check the sk_buff version as it
>> is possible (e.g. SCTP) t
ailing list. The map lookup
> is faster than a linear search, but for large filters, the filter can
> be written as a balanced tree (as Chrome does), or reordered by
> syscall frequency (as is recommended by minijail), and that appears to
> get a much larger improvement than even the map lookup.
For reference, the current libseccomp approach is to put the shorter
rules near the top of the filter (e.g. syscall only) with the longer
rules (e.g. syscall + arguments) towards the end. The libseccomp API
does allow for callers to influence the ordering via syscall priority
hints.
Someone is currently looking a tree-based ordering of syscalls for
libseccomp, and I'm always open to new/better ideas.
--
paul moore
security @ redhat
On Fri, Feb 2, 2018 at 5:19 PM, Simo Sorce <s...@redhat.com> wrote:
> On Fri, 2018-02-02 at 16:24 -0500, Paul Moore wrote:
>> On Wed, Jan 10, 2018 at 2:00 AM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > On 2018-01-09 11:18, Simo Sorce wrote:
>> > >
(I don't want the kernel to have to handle that level of bookkeeping).
I imagine this should be similar to what is done for VM auditing with
libvirt.
--
paul moore
www.paul-moore.com
ggate audit logs outside of the system or you want to
>> correlate the system audit logs with other components dealing with
>> containers, now you need a place where you provide a mapping from your
>> audit u64 to the ID a container has in the rest of the system.
>>
>> b) Now you need a mapping of some sort. The simplest way a container
>> orchestrator can go about this is to just use the UUID or Hash
>> representing their view of the container, truncate it to a u64 and use
>> that for Audit. This means there are some chances there will be a
>> collision and a duplicate u64 ID will be used by the orchestrator as
>> the container ID. What happen in that case ?
>
> Paul, can you justify this somewhat larger inconvenience for some
> relatively minor convenience on our part?
Done in direct response to Simo.
But to be clear Richard, we've talked about this a few times, it's not
a "minor convenience" on our part, it's a pretty big convenience once
we starting having to route audit events and make decisions based on
the audit container ID information. Audit performance is less than
awesome now, I'm working hard to not make it worse.
> u64 vs u128 is easy for us to
> accomodate in terms of scalar comparisons. It doubles the information
> in every container id field we print in audit records.
... and slows down audit container ID checks.
> A c36 is a bigger step.
Yeah, we're not doing that, no way.
--
paul moore
www.paul-moore.com
UID or Hash
> representing their view of the container, truncate it to a u64 and use
> that for Audit. This means there are some chances there will be a
> collision and a duplicate u64 ID will be used by the orchestrator as
> the container ID. What happen in that case ?
That is a design decision left to the different container orchestrators.
--
paul moore
www.paul-moore.com
gt; * @sk: the socket to label
> * @addr: the destination address
> *
> @@ -479,18 +552,13 @@ int selinux_netlbl_socket_setsockopt(struct socket
> *sock,
> * Returns zero values on success, negative values on failure.
> *
> */
> -int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
> +static int selinux_netlbl_socket_connect_helper(struct sock *sk,
> + struct sockaddr *addr)
> {
> int rc;
> struct sk_security_struct *sksec = sk->sk_security;
> struct netlbl_lsm_secattr *secattr;
>
> - if (sksec->nlbl_state != NLBL_REQSKB &&
> - sksec->nlbl_state != NLBL_CONNLABELED)
> - return 0;
> -
> - lock_sock(sk);
> -
> /* connected sockets are allowed to disconnect when the address family
> * is set to AF_UNSPEC, if that is what is happening we want to reset
> * the socket */
> @@ -498,18 +566,61 @@ int selinux_netlbl_socket_connect(struct sock *sk,
> struct sockaddr *addr)
> netlbl_sock_delattr(sk);
> sksec->nlbl_state = NLBL_REQSKB;
> rc = 0;
> - goto socket_connect_return;
> + return rc;
> }
> secattr = selinux_netlbl_sock_genattr(sk);
> if (secattr == NULL) {
> rc = -ENOMEM;
> - goto socket_connect_return;
> + return rc;
> }
> rc = netlbl_conn_setattr(sk, addr, secattr);
> if (rc == 0)
> sksec->nlbl_state = NLBL_CONNLABELED;
>
> -socket_connect_return:
> + return rc;
> +}
> +
> +/**
> + * selinux_netlbl_socket_connect_locked - Label a client-side socket on
> + * connect
> + * @sk: the socket to label
> + * @addr: the destination address
> + *
> + * Description:
> + * Attempt to label a connected socket that already has the socket locked
> + * with NetLabel using the given address.
> + * Returns zero values on success, negative values on failure.
> + *
> + */
> +int selinux_netlbl_socket_connect_locked(struct sock *sk,
> +struct sockaddr *addr)
> +{
> + struct sk_security_struct *sksec = sk->sk_security;
> +
> + if (sksec->nlbl_state != NLBL_REQSKB &&
> + sksec->nlbl_state != NLBL_CONNLABELED)
> + return 0;
> +
> + return selinux_netlbl_socket_connect_helper(sk, addr);
> +}
> +
> +/**
> + * selinux_netlbl_socket_connect - Label a client-side socket on connect
> + * @sk: the socket to label
> + * @addr: the destination address
> + *
> + * Description:
> + * Attempt to label a connected socket with NetLabel using the given address.
> + * Returns zero values on success, negative values on failure.
> + *
> + */
> +int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
> +{
> + int rc;
> +
> + lock_sock(sk);
> + rc = selinux_netlbl_socket_connect_locked(sk, addr);
> release_sock(sk);
> +
> return rc;
> }
> --
> 2.14.3
>
--
paul moore
www.paul-moore.com
On Wed, Jan 10, 2018 at 1:51 PM, Marcelo Ricardo Leitner
<marcelo.leit...@gmail.com> wrote:
> On Wed, Jan 10, 2018 at 11:39:45AM -0500, Paul Moore wrote:
>> On Sat, Dec 30, 2017 at 12:18 PM, Richard Haines
>> <richard_c_hai...@btinternet.com> wrote:
>> > No
bl_socket_connect_locked() and move description comments to
> selinux_sctp_bind_connect()
>
> [1] https://marc.info/?l=selinux=151061619115945=2
> [2] https://marc.info/?l=selinux=150962470215797=2
> [3] https://marc.info/?l=selinux=151198281817779=2
SCTP folks, any objections? I'm planning on merging these into
selinux-next after the next merge window so if you want to see any
changes, please speak up ...
--
paul moore
www.paul-moore.com
selinux_netlbl_socket_connect(...)
{
int rc;
lock_sock();
rc = selinux_netlbl_socket_connect_locked();
release_sock();
return rc;
}
Yes, you do end up checking nlbl_state while the socket lock is held,
but I believe the benefit of consolidating the code outweighs any
additional overhead (I believe it would be "noise" anyway).
Otherwise, this all looks good to me.
--
paul moore
www.paul-moore.com
not that acquainted with
>> these area of codes and I cannot work on them. I'll just wait for
>> Richard then.
>
> I'm back online and will post a V4 set of patches within a week. These
> will address Paul's comments as per [1] and Casey's regarding the
> documentation.
> Sorry for the delay
No worries, thanks.
--
paul moore
www.paul-moore.com
| 6 +++---
> kernel/trace/trace_printk.c | 4 ++--
> lib/raid6/sse2.c | 14 +++---
> sound/soc/fsl/fsl_dma.c | 2 +-
> 20 files changed, 30 insertions(+), 31 deletions(-)
For the audit bits ...
Acked-by: Paul Moore <p...@paul-moore.com>
--
paul moore
www.paul-moore.com
On December 14, 2017 4:04:28 PM Marcelo Ricardo Leitner
<marcelo.leit...@gmail.com> wrote:
> On Tue, Dec 12, 2017 at 05:24:46PM -0500, Paul Moore wrote:
>> On Tue, Dec 12, 2017 at 4:56 PM, Marcelo Ricardo Leitner
>> <marcelo.leit...@gmail.com> wrote:
>> > On T
On Tue, Dec 12, 2017 at 4:56 PM, Marcelo Ricardo Leitner
<marcelo.leit...@gmail.com> wrote:
> On Tue, Dec 12, 2017 at 04:33:03PM -0500, Paul Moore wrote:
>> On Tue, Dec 12, 2017 at 11:08 AM, Marcelo Ricardo Leitner
>> <marcelo.leit...@gmail.com> wrote:
>> >
is currently recalculating it on
> sctp_datamsg_from_user(), but probably should include other places as
> well.
FYI: Richard let me know he is occupied with another project at the
moment and likely won't be able to do another respin until next week
at the earliest.
--
paul moore
www.paul-moore.com
nnect() is that the SCTP variant takes a
lock, why not simply rename selinux_netlbl_sctp_socket_connect() to
selinux_netlbl_socket_connect_locked()? There is nothing really SCTP
specific here, aside from the comment header, which should already be
covered elsewhere.
[NOTE TO MYSELF: pick shorter function names next time, oof.]
--
paul moore
www.paul-moore.com
d go in via the SELinux tree, although I would like to see
ACKs from Dave and/or other netdev folks for the core stack bits.
--
paul moore
www.paul-moore.com
On Thu, Nov 30, 2017 at 7:47 AM, Paul Moore <p...@paul-moore.com> wrote:
> On Thu, Nov 30, 2017 at 5:50 AM, Eric Dumazet <eric.duma...@gmail.com> wrote:
>> On Wed, 2017-11-29 at 19:16 -0800, Casey Schaufler wrote:
>>> On 11/29/2017 4:31 PM, James Morris wrote:
&g
goto discard_and_relse;
>
> - tcp_v6_fill_cb(skb, hdr, th);
> -
> if (tcp_v6_inbound_md5_hash(sk, skb))
> goto discard_and_relse;
>
> @@ -1501,6 +1502,7 @@ static int tcp_v6_rcv(struct sk_buff *skb)
> goto discard_and_relse;
> th = (const struct tcphdr *)skb->data;
> hdr = ipv6_hdr(skb);
> + tcp_v6_fill_cb(skb, hdr, th);
>
> skb->dev = NULL;
>
> @@ -1590,7 +1592,6 @@ static int tcp_v6_rcv(struct sk_buff *skb)
> tcp_v6_timewait_ack(sk, skb);
> break;
> case TCP_TW_RST:
> - tcp_v6_restore_cb(skb);
> tcp_v6_send_reset(sk, skb);
> inet_twsk_deschedule_put(inet_twsk(sk));
> goto discard_it;
>
>
>
--
paul moore
www.paul-moore.com
ng change:
>>>
>>> commit bffa72cf7f9df842f0016ba03586039296b4caaf
>>> Author: Eric Dumazet <eduma...@google.com>
>>> Date: Tue Sep 19 05:14:24 2017 -0700
>>>
>>> net: sk_buff rbnode reorg
>>> ...
>>>
>>>
>>> Anyone else able to reproduce this, or have any ideas on what's
>>> happening?
>>
>> So far I haven't been able to reproduce with 4.15-rc1 or -linus.
>
> You might try adding KASAN in the picture ? ( CONFIG_KASAN=y )
As another data point, I have not hit this problem either, but I'm not
currently building my test kernels with KASAN enabled.
--
paul moore
www.paul-moore.com
On Tue, Nov 14, 2017 at 4:52 PM, Richard Haines
<richard_c_hai...@btinternet.com> wrote:
> On Mon, 2017-11-13 at 17:40 -0500, Paul Moore wrote:
>> On Mon, Nov 13, 2017 at 5:05 PM, Richard Haines
>> <richard_c_hai...@btinternet.com> wrote:
>> > On Mon, 2017-11
in linux-next tree on tag next-20171116.
>>
>> Signed-off-by: Tim Hansen <devtimhan...@gmail.com>
>
> Applied.
Thanks guys.
My apologies I wasn't able to ACK the patch sooner, I was traveling
and had spotty network access.
--
paul moore
www.paul-moore.com
On Mon, Nov 13, 2017 at 5:05 PM, Richard Haines
<richard_c_hai...@btinternet.com> wrote:
> On Mon, 2017-11-06 at 19:09 -0500, Paul Moore wrote:
>> On Tue, Oct 17, 2017 at 9:59 AM, Richard Haines
>> <richard_c_hai...@btinternet.com> wrote:
>> > The SELi
On Mon, Nov 13, 2017 at 3:50 PM, Richard Haines
<richard_c_hai...@btinternet.com> wrote:
> On Mon, 2017-11-06 at 18:15 -0500, Paul Moore wrote:
>> On Tue, Oct 17, 2017 at 9:58 AM, Richard Haines
>> <richard_c_hai...@btinternet.com> wrote:
>> > Add support
d-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> ---
> net/netlabel/netlabel_unlabeled.c | 10 ++
> 1 file changed, 10 insertions(+)
Thanks Richard.
Acked-by: Paul Moore <p...@paul-moore.com>
> diff --git a/net/netlabel/netlabel_unlabeled.c
> b/net/netlabel/n
t *ep,
> +struct sk_buff *skb)
> +{
> + int rc;
> + struct netlbl_lsm_secattr secattr;
> + struct sk_security_struct *sksec = ep->base.sk->sk_security;
> +
> + if (ep->base.sk->sk_family != PF_INET &&
> + ep->base.sk->sk_family != PF_INET6)
> + return 0;
> +
> + netlbl_secattr_init();
> + rc = security_netlbl_sid_to_secattr(ep->secid, );
> + if (rc != 0)
> + goto assoc_request_return;
> +
> + rc = netlbl_sctp_setattr(ep->base.sk, skb, );
> + if (rc == 0)
> + sksec->nlbl_state = NLBL_LABELED;
> +
> +assoc_request_return:
> + netlbl_secattr_destroy();
> + return rc;
> +}
> +
> +/**
> * selinux_netlbl_inet_conn_request - Label an incoming stream connection
> * @req: incoming connection request socket
> *
> @@ -481,7 +517,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
> */
> int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
> {
> - int rc;
> + int rc, already_owned_by_user = 0;
> struct sk_security_struct *sksec = sk->sk_security;
> struct netlbl_lsm_secattr *secattr;
>
> @@ -489,7 +525,16 @@ int selinux_netlbl_socket_connect(struct sock *sk,
> struct sockaddr *addr)
> sksec->nlbl_state != NLBL_CONNLABELED)
> return 0;
>
> - lock_sock(sk);
> + /* Note: When called via connect(2) this happens before the socket
> +* protocol layer connect operation and @sk is not locked, HOWEVER,
> +* when called by the SCTP protocol layer via sctp_connectx(3),
> +* sctp_sendmsg(3) or sendmsg(2), @sk is locked. Therefore check if
> +* @sk owned already.
> +*/
> + if (sock_owned_by_user(sk) && sksec->sclass == SECCLASS_SCTP_SOCKET)
> + already_owned_by_user = 1;
> + else
> + lock_sock(sk);
>
> /* connected sockets are allowed to disconnect when the address family
> * is set to AF_UNSPEC, if that is what is happening we want to reset
> @@ -510,6 +555,7 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct
> sockaddr *addr)
> sksec->nlbl_state = NLBL_CONNLABELED;
>
> socket_connect_return:
> - release_sock(sk);
> + if (!already_owned_by_user)
> + release_sock(sk);
> return rc;
> }
> --
> 2.13.6
>
--
paul moore
www.paul-moore.com
1 - 100 of 515 matches
Mail list logo
