Any process is able to send netlink messages with invalid types.
Make the warning rate-limited to prevent too much log spam.
The warning is supposed to help to find misbehaving programs, so
print the triggering command name and pid.
Reported-by: Florian Weimer <fwei...@redhat.com>
Signed-off-by: Vladis Dronov <vdro...@redhat.com>
---
security/selinux/hooks.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d0cfaa9..791fc46 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4785,11 +4785,12 @@ static int selinux_nlmsg_perm(struct sock *sk, struct
sk_buff *skb)
err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
if (err) {
if (err == -EINVAL) {
- printk(KERN_WARNING
- "SELinux: unrecognized netlink message:"
- " protocol=%hu nlmsg_type=%hu sclass=%s\n",
+ pr_warn_ratelimited("SELinux: unrecognized netlink"
+ " message: protocol=%hu nlmsg_type=%hu sclass=%s"
+ " pig=%d comm=%s\n",
sk->sk_protocol, nlh->nlmsg_type,
- secclass_map[sksec->sclass - 1].name);
+ secclass_map[sksec->sclass - 1].name,
+ task_pid_nr(current), current->comm);
if (!selinux_enforcing || security_get_allow_unknown())
err = 0;
}
--
2.6.2
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
