Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=71f1cb05f773661b6fa98c7a635d7a395cd9c55d
Commit:     71f1cb05f773661b6fa98c7a635d7a395cd9c55d
Parent:     effad8df44261031a882e1a895415f7186a5098e
Author:     Paul Moore <[EMAIL PROTECTED]>
AuthorDate: Tue Jan 29 08:51:16 2008 -0500
Committer:  James Morris <[EMAIL PROTECTED]>
CommitDate: Wed Jan 30 08:17:30 2008 +1100

    SELinux: Add warning messages on network denial due to error
    
    Currently network traffic can be sliently dropped due to non-avc errors 
which
    can lead to much confusion when trying to debug the problem.  This patch 
adds
    warning messages so that when these events occur there is a user visible
    notification.
    
    Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
    Signed-off-by: James Morris <[EMAIL PROTECTED]>
---
 security/selinux/hooks.c   |   29 ++++++++++++++++++++++++-----
 security/selinux/netif.c   |   13 +++++++++++--
 security/selinux/netnode.c |    6 +++++-
 3 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b3c0647..81bfcf1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3443,6 +3443,11 @@ static int selinux_parse_skb(struct sk_buff *skb, struct 
avc_audit_data *ad,
                break;
        }
 
+       if (unlikely(ret))
+               printk(KERN_WARNING
+                      "SELinux: failure in selinux_parse_skb(),"
+                      " unable to parse packet\n");
+
        return ret;
 }
 
@@ -3463,6 +3468,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct 
avc_audit_data *ad,
  */
 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
 {
+       int err;
        u32 xfrm_sid;
        u32 nlbl_sid;
        u32 nlbl_type;
@@ -3470,10 +3476,13 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, 
u16 family, u32 *sid)
        selinux_skb_xfrm_sid(skb, &xfrm_sid);
        selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
 
-       if (security_net_peersid_resolve(nlbl_sid, nlbl_type,
-                                        xfrm_sid,
-                                        sid) != 0)
+       err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
+       if (unlikely(err)) {
+               printk(KERN_WARNING
+                      "SELinux: failure in selinux_skb_peerlbl_sid(),"
+                      " unable to determine packet's peer label\n");
                return -EACCES;
+       }
 
        return 0;
 }
@@ -3925,8 +3934,13 @@ static int selinux_sock_rcv_skb_iptables_compat(struct 
sock *sk,
        err = security_port_sid(sk->sk_family, sk->sk_type,
                                sk->sk_protocol, ntohs(ad->u.net.sport),
                                &port_sid);
-       if (err)
+       if (unlikely(err)) {
+               printk(KERN_WARNING
+                      "SELinux: failure in"
+                      " selinux_sock_rcv_skb_iptables_compat(),"
+                      " network port label not found\n");
                return err;
+       }
        return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
 }
 
@@ -4343,8 +4357,13 @@ static int selinux_ip_postroute_iptables_compat(struct 
sock *sk,
        err = security_port_sid(sk->sk_family, sk->sk_type,
                                sk->sk_protocol, ntohs(ad->u.net.dport),
                                &port_sid);
-       if (err)
+       if (unlikely(err)) {
+               printk(KERN_WARNING
+                      "SELinux: failure in"
+                      " selinux_ip_postroute_iptables_compat(),"
+                      " network port label not found\n");
                return err;
+       }
        return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
 }
 
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index ee49a73..013d311 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -157,8 +157,12 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
         * currently support containers */
 
        dev = dev_get_by_index(&init_net, ifindex);
-       if (dev == NULL)
+       if (unlikely(dev == NULL)) {
+               printk(KERN_WARNING
+                      "SELinux: failure in sel_netif_sid_slow(),"
+                      " invalid network interface (%d)\n", ifindex);
                return -ENOENT;
+       }
 
        spin_lock_bh(&sel_netif_lock);
        netif = sel_netif_find(ifindex);
@@ -184,8 +188,13 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
 out:
        spin_unlock_bh(&sel_netif_lock);
        dev_put(dev);
-       if (ret != 0)
+       if (unlikely(ret)) {
+               printk(KERN_WARNING
+                      "SELinux: failure in sel_netif_sid_slow(),"
+                      " unable to determine network interface label (%d)\n",
+                      ifindex);
                kfree(new);
+       }
        return ret;
 }
 
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 49c5277..f3c526f 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -264,8 +264,12 @@ static int sel_netnode_sid_slow(void *addr, u16 family, 
u32 *sid)
 
 out:
        spin_unlock_bh(&sel_netnode_lock);
-       if (ret != 0)
+       if (unlikely(ret)) {
+               printk(KERN_WARNING
+                      "SELinux: failure in sel_netnode_sid_slow(),"
+                      " unable to determine network node label\n");
                kfree(new);
+       }
        return ret;
 }
 
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to