From: Eric Dumazet
Date: Thu, 09 Aug 2012 23:29:03 +0200
> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> index 76dde25..ec410e0 100644
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -1536,6 +1536,7 @@ void ip_send_unicast_reply(struct net *net, struct
> sk_buff
On 8/9/2012 3:05 PM, Eric Dumazet wrote:
> On Thu, 2012-08-09 at 14:53 -0700, Casey Schaufler wrote:
>> On 8/9/2012 2:29 PM, Eric Dumazet wrote:
>>> smack_sk_alloc_security() uses smk_of_current() : What can be the
>>> meaning of smk_of_current() in the context of 'kernel' sockets...
>> Yes, and
On Thu, 2012-08-09 at 14:53 -0700, Casey Schaufler wrote:
> On 8/9/2012 2:29 PM, Eric Dumazet wrote:
> > smack_sk_alloc_security() uses smk_of_current() : What can be the
> > meaning of smk_of_current() in the context of 'kernel' sockets...
>
> Yes, and all of it's callers - to date - have had
On 8/9/2012 2:29 PM, Eric Dumazet wrote:
> On Thu, 2012-08-09 at 16:06 -0400, Eric Paris wrote:
>> NAK.
>>
>> I personally think commit be9f4a44e7d41cee should be reverted until it
>> is fixed. Let me explain what all I believe it broke and how.
>>
> Suggesting to revert this commit while we have
On Thu, 2012-08-09 at 16:06 -0400, Eric Paris wrote:
> NAK.
>
> I personally think commit be9f4a44e7d41cee should be reverted until it
> is fixed. Let me explain what all I believe it broke and how.
>
Suggesting to revert this commit while we have known working fixes is a
bit of strange
On Thu, Aug 9, 2012 at 4:06 PM, Eric Paris wrote:
> I'm going to work right now on exposing the equivalent struct sock LSM
> interface so we can call that as well. But it's going to take me a
> bit.
Before you go too far down this path, can you elaborate on what
exactly you mean by the above?
NAK.
I personally think commit be9f4a44e7d41cee should be reverted until it
is fixed. Let me explain what all I believe it broke and how.
Old callchain of the creation of the 'equivalent' socket previous to
the patch in question just for reference:
inet_ctl_sock_create
On Thu, 2012-08-09 at 12:05 -0400, Eric Paris wrote:
> On Thu, Aug 9, 2012 at 11:36 AM, Eric Dumazet wrote:
> > On Thu, 2012-08-09 at 11:07 -0400, Paul Moore wrote:
> >
> >> Is is possible to do the call to security_sk_alloc() in the ip_init()
> >> function
> >> or does the per-cpu nature of the
On Thu, Aug 9, 2012 at 12:05 PM, Eric Paris wrote:
> Paul, are you looking into this? This is a bandaide, not a fix
Yep, I mentioned this a few times in the other thread. The problem is
there is not going to be an easy fix for the labeling so I'd rather we
see this patch, or something like
On Thu, Aug 9, 2012 at 11:36 AM, Eric Dumazet wrote:
> On Thu, 2012-08-09 at 11:07 -0400, Paul Moore wrote:
>
>> Is is possible to do the call to security_sk_alloc() in the ip_init()
>> function
>> or does the per-cpu nature of the socket make this a pain?
>>
>
> Its a pain, if we want NUMA
On Thu, Aug 9, 2012 at 11:36 AM, Eric Dumazet wrote:
> On Thu, 2012-08-09 at 11:07 -0400, Paul Moore wrote:
>
>> Is is possible to do the call to security_sk_alloc() in the ip_init()
>> function
>> or does the per-cpu nature of the socket make this a pain?
>>
>
> Its a pain, if we want NUMA
On Thu, 2012-08-09 at 11:07 -0400, Paul Moore wrote:
> Is is possible to do the call to security_sk_alloc() in the ip_init()
> function
> or does the per-cpu nature of the socket make this a pain?
>
Its a pain, if we want NUMA affinity.
Here, each cpu should get memory from its closest node.
On Thursday, August 09, 2012 04:50:33 PM Eric Dumazet wrote:
> From: Eric Dumazet
>
> commit be9f4a44e7d41cee (ipv4: tcp: remove per net tcp_sock) added a
> selinux regression, reported and bisected by John Stultz
>
> selinux_ip_postroute_compat() expect to find a valid sk->sk_security
>
From: Eric Dumazet
commit be9f4a44e7d41cee (ipv4: tcp: remove per net tcp_sock) added a
selinux regression, reported and bisected by John Stultz
selinux_ip_postroute_compat() expect to find a valid sk->sk_security
pointer, but this field is NULL for unicast_sock
Fix this by adding a new
From: Eric Dumazet eduma...@google.com
commit be9f4a44e7d41cee (ipv4: tcp: remove per net tcp_sock) added a
selinux regression, reported and bisected by John Stultz
selinux_ip_postroute_compat() expect to find a valid sk-sk_security
pointer, but this field is NULL for unicast_sock
Fix this by
On Thursday, August 09, 2012 04:50:33 PM Eric Dumazet wrote:
From: Eric Dumazet eduma...@google.com
commit be9f4a44e7d41cee (ipv4: tcp: remove per net tcp_sock) added a
selinux regression, reported and bisected by John Stultz
selinux_ip_postroute_compat() expect to find a valid
On Thu, 2012-08-09 at 11:07 -0400, Paul Moore wrote:
Is is possible to do the call to security_sk_alloc() in the ip_init()
function
or does the per-cpu nature of the socket make this a pain?
Its a pain, if we want NUMA affinity.
Here, each cpu should get memory from its closest node.
On Thu, Aug 9, 2012 at 11:36 AM, Eric Dumazet eric.duma...@gmail.com wrote:
On Thu, 2012-08-09 at 11:07 -0400, Paul Moore wrote:
Is is possible to do the call to security_sk_alloc() in the ip_init()
function
or does the per-cpu nature of the socket make this a pain?
Its a pain, if we want
On Thu, Aug 9, 2012 at 11:36 AM, Eric Dumazet eric.duma...@gmail.com wrote:
On Thu, 2012-08-09 at 11:07 -0400, Paul Moore wrote:
Is is possible to do the call to security_sk_alloc() in the ip_init()
function
or does the per-cpu nature of the socket make this a pain?
Its a pain, if we want
On Thu, Aug 9, 2012 at 12:05 PM, Eric Paris epa...@parisplace.org wrote:
Paul, are you looking into this? This is a bandaide, not a fix
Yep, I mentioned this a few times in the other thread. The problem is
there is not going to be an easy fix for the labeling so I'd rather we
see this
On Thu, 2012-08-09 at 12:05 -0400, Eric Paris wrote:
On Thu, Aug 9, 2012 at 11:36 AM, Eric Dumazet eric.duma...@gmail.com wrote:
On Thu, 2012-08-09 at 11:07 -0400, Paul Moore wrote:
Is is possible to do the call to security_sk_alloc() in the ip_init()
function
or does the per-cpu
NAK.
I personally think commit be9f4a44e7d41cee should be reverted until it
is fixed. Let me explain what all I believe it broke and how.
Old callchain of the creation of the 'equivalent' socket previous to
the patch in question just for reference:
inet_ctl_sock_create
On Thu, Aug 9, 2012 at 4:06 PM, Eric Paris epa...@parisplace.org wrote:
I'm going to work right now on exposing the equivalent struct sock LSM
interface so we can call that as well. But it's going to take me a
bit.
Before you go too far down this path, can you elaborate on what
exactly you
On Thu, 2012-08-09 at 16:06 -0400, Eric Paris wrote:
NAK.
I personally think commit be9f4a44e7d41cee should be reverted until it
is fixed. Let me explain what all I believe it broke and how.
Suggesting to revert this commit while we have known working fixes is a
bit of strange reaction.
On 8/9/2012 2:29 PM, Eric Dumazet wrote:
On Thu, 2012-08-09 at 16:06 -0400, Eric Paris wrote:
NAK.
I personally think commit be9f4a44e7d41cee should be reverted until it
is fixed. Let me explain what all I believe it broke and how.
Suggesting to revert this commit while we have known
On Thu, 2012-08-09 at 14:53 -0700, Casey Schaufler wrote:
On 8/9/2012 2:29 PM, Eric Dumazet wrote:
smack_sk_alloc_security() uses smk_of_current() : What can be the
meaning of smk_of_current() in the context of 'kernel' sockets...
Yes, and all of it's callers - to date - have had an
On 8/9/2012 3:05 PM, Eric Dumazet wrote:
On Thu, 2012-08-09 at 14:53 -0700, Casey Schaufler wrote:
On 8/9/2012 2:29 PM, Eric Dumazet wrote:
smack_sk_alloc_security() uses smk_of_current() : What can be the
meaning of smk_of_current() in the context of 'kernel' sockets...
Yes, and all of it's
From: Eric Dumazet eric.duma...@gmail.com
Date: Thu, 09 Aug 2012 23:29:03 +0200
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 76dde25..ec410e0 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1536,6 +1536,7 @@ void ip_send_unicast_reply(struct net *net,
28 matches
Mail list logo