the function and jump there on error.
> }
> rc = selinux_add_opt(token, arg, mnt_opts);
> if (unlikely(rc)) {
--
paul moore
www.paul-moore.com
On Mon, Jul 8, 2019 at 2:06 PM Richard Guy Briggs wrote:
> On 2019-05-30 15:29, Paul Moore wrote:
...
> > [REMINDER: It is an "*audit* container ID" and not a general
> > "container ID" ;) Smiley aside, I'm not kidding about that part.]
> >
+-
> include/linux/sched.h | 7 +-
> init/init_task.c | 3 +-
> init/main.c | 2 +
> kernel/audit.c| 154 +-
> kernel/audit.h| 7 ++
> kernel/auditsc.c | 24 ++++---
> kernel/fork.c | 1 -
> 10 files changed, 205 insertions(+), 66 deletions(-)
--
paul moore
www.paul-moore.com
independent flowi_common struct.
Reported-by: Herbert Xu
Signed-off-by: Paul Moore
---
.../chelsio/inline_crypto/chtls/chtls_cm.c |2 +-
drivers/net/wireguard/socket.c |4 ++-
include/linux/lsm_hook_defs.h |4 ++-
include/linux
On Thu, Nov 19, 2020 at 10:02 PM James Morris wrote:
> On Thu, 19 Nov 2020, Paul Moore wrote:
> > As pointed out by Herbert in a recent related patch, the LSM hooks do
> > not have the necessary address family information to use the flowi
> > struct safely. As none of the L
Static checking revealed that a previous fix to
netlbl_unlabel_staticlist() leaves a stack variable uninitialized,
this patches fixes that.
Fixes: 866358ec331f ("netlabel: fix our progress tracking in
netlbl_unlabel_staticlist()")
Reported-by: Dan Carpenter
Signed-off-by: Paul Moore
ot; (or similar, I'm not worried about names at this
point) to each record, reset to 0/1 at the start of each event, and
when we needed to link records somehow we could add a "related=1,..,N"
field. This would potentially be useful beyond just the audit
container ID work.
--
paul moore
www.paul-moore.com
+366,7 @@ static const struct netlbl_calipso_ops *calipso_ops;
>
> /**
> * netlbl_calipso_ops_register - Register the CALIPSO operations
> + * @ops: Ops to register
If we are being nitpicky, it might be better to drop the
capitalization for the sake of consistency, e.g. "@ops: ops to
registe
On Fri, Oct 23, 2020 at 4:40 PM Richard Guy Briggs wrote:
> On 2020-10-22 21:21, Paul Moore wrote:
> > On Wed, Oct 21, 2020 at 12:39 PM Richard Guy Briggs wrote:
> > > Here is an exmple I was able to generate after updating the testsuite
> > > script to include a sig
On Wed, Sep 30, 2020 at 9:44 AM Paul Moore wrote:
> On Tue, Sep 29, 2020 at 7:09 PM James Morris wrote:
> > I'm not keen on adding a parameter which nobody is using. Perhaps a note
> > in the header instead?
>
> On Wed, Sep 30, 2020 at 6:14 AM Herbert Xu
> wrote:
ve in the kernel. This patch fixes this by ensuring
that the dump state is properly reset when necessary inside the
netlbl_unlabel_staticlist() function.
Fixes: 8cc44579d1bd ("NetLabel: Introduce static network labels for unlabeled
connections")
Signed-off-by: Paul Moore
--
ble to find one.
It's also worth adding that this code really hasn't changed much in a
*long* time, not that this means it isn't broken, just that it might
also be worth looking at other odd memory bugs to see if there is
chance they are wandering around and stomping on memory ...
--
paul moore
www.paul-moore.com
object.
> Does it make any sense?
Looking at it quickly, the logic above seems sane. I wrote this code
a *long* time ago, so let me get my head back into it and make sure
that still holds.
--
paul moore
www.paul-moore.com
e 4 at addr 8880179ecb18 by task syz-executor.5/20110
Almost surely the same problem as the others, I'm currently chasing
down a few remaining spots to make sure the fix I'm working on is
correct.
--
paul moore
www.paul-moore.com
On Wed, Mar 3, 2021 at 11:20 AM Paul Moore wrote:
> On Wed, Mar 3, 2021 at 10:53 AM syzbot
> wrote:
> >
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:7a7fd0de Merge branch 'kmap-conversion-for-5.12' of git:
with
refrerence counts")
Fixes: d7cce01504a0 ("netlabel: Add support for removing a CALIPSO DOI.")
Reported-by: syzbot+9ec037722d2603a9f...@syzkaller.appspotmail.com
Signed-off-by: Paul Moore
---
net/ipv4/cipso_ipv4.c| 11 +--
net/ipv6/calipso.c
On Thu, Mar 4, 2021 at 4:29 PM Paul Moore wrote:
>
> The current CIPSO and CALIPSO refcounting scheme for the DOI
> definitions is a bit flawed in that we:
>
> 1. Don't correctly match gets/puts in netlbl_cipsov4_list().
> 2. Decrement the refcount on each attempt to
On Thu, Mar 4, 2021 at 5:33 PM David Miller wrote:
> From: Paul Moore
> Date: Thu, 04 Mar 2021 16:29:51 -0500
>
> > +static void calipso_doi_putdef(struct calipso_doi *doi_def);
> > +
>
> This is a global symbol, so why the static decl here?
To resolve this:
CC
ov
> ---
> net/ipv4/cipso_ipv4.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Acked-by: Paul Moore
> diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
> index 471d33a..6e59902 100644
> --- a/net/ipv4/cipso_ipv4.c
> +++ b/net/ipv4/cipso_ipv4.c
> @@ -1162
sksec_new->sid = sksec_sock->sid" ... which gets us back to
this function looking like a reimplementation of
selinux_sk_clone_security(), minus the peer_sid and sclass
initializations (which should be important things to have).
I strongly suggest you try making use of the existing
security_sk_clone() hook in the vsock code, it seems like a better way
to solve this problem.
--
paul moore
www.paul-moore.com
returning early from the removal
function when the entry was previously marked invalid. This change
also had the side benefit of improving the code by decreasing the
indentation level of large chunk of code by one (accounting for most
of the diffstat).
Reported-by: Stephen Smalley
Signed-off
On Fri, Jul 17, 2020 at 8:44 PM Richard Guy Briggs wrote:
> On 2020-07-05 11:11, Paul Moore wrote:
> > On Sat, Jun 27, 2020 at 9:23 AM Richard Guy Briggs wrote:
> > >
> > > Add audit container identifier auxiliary record to user event standalone
> > > records
On Wed, Jul 29, 2020 at 3:00 PM Richard Guy Briggs wrote:
> On 2020-07-05 11:10, Paul Moore wrote:
> > On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs wrote:
> > >
> > > Add audit container identifier support to the action of signalling the
> > > audit
On Wed, Jul 29, 2020 at 3:41 PM Richard Guy Briggs wrote:
> On 2020-07-05 11:10, Paul Moore wrote:
> > On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs wrote:
...
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index f03d3eb0752c..9e79645e5c0e 100644
&
On Wed, Jul 29, 2020 at 4:06 PM Richard Guy Briggs wrote:
> On 2020-07-05 11:09, Paul Moore wrote:
> > On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs wrote:
...
> > > @@ -212,6 +219,33 @@ void __init audit_task_init(void)
> > >
On Fri, Aug 7, 2020 at 1:10 PM Richard Guy Briggs wrote:
> On 2020-07-05 11:11, Paul Moore wrote:
> > On Sat, Jun 27, 2020 at 9:23 AM Richard Guy Briggs wrote:
> > > Require the target task to be a descendant of the container
> > > orchestrator/engine.
If you want to
twork address selectors to the
NetLabel/LSM domain mapping")
Reported-by: Stephen Smalley
Signed-off-by: Paul Moore
---
net/netlabel/netlabel_domainhash.c | 59 ++--
1 file changed, 30 insertions(+), 29 deletions(-)
diff --git a/net/netlabel/ne
On Fri, Aug 21, 2020 at 2:38 PM David Miller wrote:
> From: Paul Moore
> Date: Thu, 20 Aug 2020 21:46:14 -0400
>
> > This patch fixes two main problems seen when removing NetLabel
> > mappings: memory leaks and potentially extra audit noise.
>
> These are bug fixes the
_addr.s_addr;
> - else
> + if (address->sa_family == AF_INET6)
> ad.u.net->v6info.saddr = addr6->sin6_addr;
> + else
> + ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
>
> err = avc_has_perm(&selinux_state,
>sksec->sid, sid,
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
On Tue, May 8, 2018 at 2:40 PM, Stephen Smalley wrote:
> On 05/08/2018 01:05 PM, Paul Moore wrote:
>> On Tue, May 8, 2018 at 10:05 AM, Alexey Kodanev
>> wrote:
>>> Commit d452930fd3b9 ("selinux: Add SCTP support") breaks compatibility
>>> with the
On Wed, May 9, 2018 at 8:37 AM, Stephen Smalley wrote:
> On 05/08/2018 08:25 PM, Paul Moore wrote:
>> On Tue, May 8, 2018 at 2:40 PM, Stephen Smalley wrote:
>>> On 05/08/2018 01:05 PM, Paul Moore wrote:
>>>> On Tue, May 8, 2018 at 10:05 AM, Alexey Kodanev
>>
nk
is good), we should probably access it once, store it in a local
variable, perform the validity check on the local variable, then
commit the local variable to audit_sig_uid. I realize a TOCTOU
problem is unlikely here, but with this new layer of abstraction it
seems that some additional safety might be a good thing.
> else
> audit_sig_uid = uid;
> security_task_getsecid(tsk, &audit_sig_sid);
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
== (unsigned int)-1))
>> + if (unlikely(sessionid == AUDIT_SID_UNSET))
>> sessionid = (unsigned
>> int)atomic_inc_return(&session_id);
>> }
>>
>> --
>> 1.8.3.1
>>
>> --
>> Linux-audit mailing list
>> linux-au...@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>
> - RGB
>
> --
> Richard Guy Briggs
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Linux-audit mailing list
> linux-au...@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
t_syscall_entry(int major, unsigned long a1,
> unsigned long a2,
>unsigned long a3, unsigned long a4)
> {
> struct task_struct *tsk = current;
> - struct audit_context *context = tsk->audit_context;
> + struct audit_context *context = audit_context(tsk);
> enum audit_state state;
>
> if (!audit_enabled || !context)
--
paul moore
www.paul-moore.com
On Wed, May 9, 2018 at 11:11 AM, Stephen Smalley wrote:
> On 05/09/2018 11:01 AM, Paul Moore wrote:
>> On Wed, May 9, 2018 at 8:37 AM, Stephen Smalley wrote:
>>> On 05/08/2018 08:25 PM, Paul Moore wrote:
>>>> On Tue, May 8, 2018 at 2:40 PM, Stephen Smalley wrote
t; + },
> #endif
> #ifdef CONFIG_PERF_EVENTS
> .perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex),
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index f294e4a..b5d8bff 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2068,8 +2068,8 @@ int audit_set_loginuid(kuid_t loginuid)
> sessionid = (unsigned
> int)atomic_inc_return(&session_id);
> }
>
> - task->sessionid = sessionid;
> - task->loginuid = loginuid;
> + task->audit.sessionid = sessionid;
> + task->audit.loginuid = loginuid;
> out:
> audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid,
> sessionid, rc);
> return rc;
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
rity/integrity/integrity_audit.c | 2 +-
> security/lsm_audit.c | 2 +-
> security/selinux/hooks.c | 4 +-
> security/selinux/selinuxfs.c | 6 +--
> security/selinux/ss/services.c | 12 +++---
> 21 files changed, 129 insertions(+), 79 deletions(-)
> create mode 100644 include/linux/audit_task.h
>
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
On Wed, May 9, 2018 at 11:34 AM, Paul Moore wrote:
> On Wed, May 9, 2018 at 11:11 AM, Stephen Smalley wrote:
>> On 05/09/2018 11:01 AM, Paul Moore wrote:
>>> On Wed, May 9, 2018 at 8:37 AM, Stephen Smalley wrote:
>>>> On 05/08/2018 08:25 PM, Paul Moore wrote:
>
On Thu, May 10, 2018 at 5:28 AM, Alexey Kodanev
wrote:
> On 10.05.2018 01:02, Paul Moore wrote:
> ...
>> I just had a better look at this and I believe that Alexey and Stephen
>> are right: this is the best option. My apologies for the noise
>> earlier. However, whi
sessionid(current),
> + task_tgid_nr(task), oldcontainerid, containerid,
> !rc);
> +
> + audit_put_tty(tty);
> + audit_log_end(ab);
> +}
> +
> +/**
> + * audit_set_containerid - set current task's audit_context containerid
> + * @containerid: containerid value
> + *
> + * Returns 0 on success, -EPERM on permission failure.
> + *
> + * Called (set) from fs/proc/base.c::proc_containerid_write().
> + */
> +int audit_set_containerid(struct task_struct *task, u64 containerid)
> +{
> + u64 oldcontainerid;
> + int rc;
> +
> + oldcontainerid = audit_get_containerid(task);
> +
> + rc = audit_set_containerid_perm(task, containerid);
> + if (!rc) {
> + task_lock(task);
> + task->containerid = containerid;
> + task_unlock(task);
> + }
> +
> + audit_log_set_containerid(task, oldcontainerid, containerid, rc);
> + return rc;
Why are audit_set_containerid_perm() and audit_log_containerid()
separate functions?
--
paul moore
www.paul-moore.com
turn -EPERM;
> /* if containerid is unset, allow */
> if (!audit_containerid_set(task))
> return 0;
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
arator(msgtype, f->op,
> f->val);
> break;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 65be110..2bba324 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -614,6 +614,9 @@ static int audit_filter_rules(struct task_struct *tsk,
> case AUDIT_LOGINUID_SET:
> result = audit_comparator(audit_loginuid_set(tsk),
> f->op, f->val);
> break;
> + case AUDIT_CONTAINERID:
> + result =
> audit_comparator64(audit_get_containerid(tsk), f->op, f->val64);
> + break;
> case AUDIT_SUBJ_USER:
> case AUDIT_SUBJ_ROLE:
> case AUDIT_SUBJ_TYPE:
> --
> 1.8.3.1
>
> --
> Linux-audit mailing list
> linux-au...@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
context->target_auid, context->target_uid,
> context->target_sessionid,
> - context->target_sid, context->target_comm))
> + context->target_sid, context->target_comm)
> + && audit_log_container_info(context, "target",
> context->target_cid))
Same question.
> call_panic = 1;
>
> if (context->pwd.dentry && context->pwd.mnt) {
--
paul moore
www.paul-moore.com
dit_free_names(context);
> unroll_tree_refs(context, NULL, 0);
> free_tree_refs(context);
I'm reserving the option to comment on this idea further as I make my
way through the patchset, but audit_free_context() definitely
shouldn't be declared as an inline function.
--
paul moore
www.paul-moore.com
from_kuid(&init_user_ns,
> audit_get_loginuid(current)),
> +audit_get_sessionid(current), op);
> + audit_log_format(ab, " path=");
> + audit_log_untrustedstring(ab, w->path);
> + audit_log_key(ab, r->filterkey);
> + audit_log_format(ab, " list=%d res=1", r->listnr);
> + audit_log_end(ab);
> + audit_log_container_info(context, "config",
> audit_get_containerid(current));
> + audit_free_context(context);
> }
--
paul moore
www.paul-moore.com
On Wed, Apr 18, 2018 at 8:41 PM, Casey Schaufler wrote:
> On 4/18/2018 4:47 PM, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote:
>>> Implement the proc fs write to set the audit container ID of a process,
>>> emitting an AUDIT_CONTAINER r
struct audit_context *context = audit_alloc_local();
>
> if (!audit_enabled)
> return;
Well, first I think we should be able to get rid of the local context,
but if for some reason we can't use current->audit_context then do the
allocation after the audit_enabled check.
> - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> if (!ab)
> return;
> audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
> @@ -1122,6 +1123,8 @@ static void audit_log_rule_change(char *action, struct
> audit_krule *rule, int re
> audit_log_key(ab, rule->filterkey);
> audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
> audit_log_end(ab);
> + audit_log_container_info(context, "config",
> audit_get_containerid(current));
> + audit_free_context(context);
> }
--
paul moore
www.paul-moore.com
get_arch(), syscall,
> in_compat_syscall(), KSTK_EIP(current), code);
> audit_log_end(ab);
> + audit_log_container_info(context, "seccomp",
> audit_get_containerid(current));
> + audit_free_context(context);
> }
>
> struct list_head *audit_killed_trees(void)
--
paul moore
www.paul-moore.com
t;
> might_sleep();
>
> @@ -224,6 +227,9 @@ void switch_task_namespaces(struct task_struct *p, struct
> nsproxy *new)
> ns = p->nsproxy;
> p->nsproxy = new;
> task_unlock(p);
> + net_del_audit_containerid(ns->net_ns, containerid);
> + if (new)
> + net_add_audit_containerid(new->net_ns, containerid);
Okay, we might need a hook here for switching namespaces, but I would
much rather it be a generic audit hook that calls directly into audit.
--
paul moore
www.paul-moore.com
+ audit_log_container_info(context, buf, cont->id);
> + }
It seems like this could (should?) be hidden inside an audit function,
e.g. audit_log_net_containers() or something like that.
> errout:
> + audit_free_context(context);
> return XT_CONTINUE;
> }
--
paul moore
www.paul-moore.com
On Thu, Apr 19, 2018 at 8:31 AM, Richard Guy Briggs wrote:
> On 2018-04-18 21:27, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote:
>> > Add container ID auxiliary records to configuration change, feature set
>> > change
>> > a
On Thu, Apr 19, 2018 at 8:45 AM, Richard Guy Briggs wrote:
> On 2018-04-18 22:10, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote:
>> > Add container ID auxiliary record(s) to NETFILTER_PKT event standalone
>> > records. Iterate through
On Thu, Apr 19, 2018 at 8:42 PM, Richard Guy Briggs wrote:
> On 2018-04-18 21:31, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote:
>> > Add container ID auxiliary records to secure computing and abnormal end
>> > standalone records.
>&
On Thu, Apr 19, 2018 at 9:03 PM, Richard Guy Briggs wrote:
> On 2018-04-18 20:32, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote:
...
>> > /*
>> > * audit_log_container_info - report container info
>> > - * @tsk: task to be
On Thu, Apr 19, 2018 at 9:23 PM, Richard Guy Briggs wrote:
> On 2018-04-18 20:39, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote:
>> > Standalone audit records have the timestamp and serial number generated
>> > on the fly and as s
On Fri, Apr 20, 2018 at 4:02 PM, Richard Guy Briggs wrote:
> On 2018-04-18 21:46, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote:
>> > Audit events could happen in a network namespace outside of a task
>> > context due to packets receive
On April 20, 2018 4:48:34 PM Richard Guy Briggs wrote:
On 2018-04-20 16:22, Paul Moore wrote:
On Fri, Apr 20, 2018 at 4:02 PM, Richard Guy Briggs wrote:
On 2018-04-18 21:46, Paul Moore wrote:
On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote:
Audit events could happen in a network
On Sat, Apr 21, 2018 at 10:34 AM, Richard Guy Briggs wrote:
> On 2018-04-18 19:47, Paul Moore wrote:
>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote:
>> > Implement the proc fs write to set the audit container ID of a process,
>> > emitting an AUDIT_CONTA
()
instead (and obviously drop the "unix_stream" portion from the hook
name).
> /* Join our sockets back to back */
> sock_hold(ska);
> --
> 2.17.0
--
paul moore
www.paul-moore.com
On Tue, Apr 24, 2018 at 1:56 PM, David Miller wrote:
> From: Paul Moore
> Date: Tue, 24 Apr 2018 13:55:31 -0400
>
>> On Mon, Apr 23, 2018 at 9:30 AM, David Herrmann
>> wrote:
>>> Use the newly created LSM-hook for unix_socketpair(). The default hook
>>> r
On Mon, Apr 23, 2018 at 10:02 PM, Richard Guy Briggs wrote:
> On 2018-04-23 19:15, Paul Moore wrote:
>> On Sat, Apr 21, 2018 at 10:34 AM, Richard Guy Briggs wrote:
>> > On 2018-04-18 19:47, Paul Moore wrote:
>> >> On Fri, Mar 16, 2018 at 5:00 AM, Ri
hook out of the AF_UNIX layer and up into the socket
layer.
--
paul moore
www.paul-moore.com
On Tue, Apr 24, 2018 at 8:40 PM, Richard Guy Briggs wrote:
> On 2018-04-24 15:01, Paul Moore wrote:
>> On Mon, Apr 23, 2018 at 10:02 PM, Richard Guy Briggs wrote:
>> > On 2018-04-23 19:15, Paul Moore wrote:
>> >> On Sat, Apr 21, 2018 at 10:34 AM, Richard Guy Briggs
were to propose a patchset to add a SKB_EXT_SECURITY skb
extension (a single extension ID to be shared among the different
LSMs), would that be something that netdev would consider merging, or
is there still a philosophical objection to things like this?
--
paul moore
www.paul-moore.com
On Wed, Aug 21, 2019 at 6:50 PM David Miller wrote:
> From: Paul Moore
> Date: Wed, 21 Aug 2019 18:00:09 -0400
>
> > I was just made aware of the skb extension work, and it looks very
> > appealing from a LSM perspective. As some of you probably remember,
> > we (t
On Thu, Aug 22, 2019 at 3:03 AM Florian Westphal wrote:
> Paul Moore wrote:
> > Hello netdev,
> >
> > I was just made aware of the skb extension work, and it looks very
> > appealing from a LSM perspective. As some of you probably remember,
> > we (the LSM fol
l a matter
of where to place the hook.
If we only care about netlink messages which leverage nlattrs I
suppose one option that I haven't seen mentioned would be to place a
hook in nla_put(). While it is a bit of an odd place for a hook, it
would allow the LSM easy access to the skb and attribute type to make
decisions, and all of the callers should already be checking the
return code (although we would need to verify this). One notable
drawback (not the only one) is that the hook is going to get hit
multiple times for each message.
--
paul moore
www.paul-moore.com
On Thu, Aug 29, 2019 at 3:45 AM Michal Kubecek wrote:
> On Tue, Aug 27, 2019 at 04:47:04PM -0400, Paul Moore wrote:
> >
> > I'm also not a big fan of inserting the hook in rtnl_fill_ifinfo(); as
> > presented it is way too specific for a LSM hook for me to be happy.
&g
ipv4/ip_options.c | 22 +-
> 3 files changed, 34 insertions(+), 7 deletions(-)
Thanks Sergey.
Acked-by: Paul Moore
> diff --git a/include/net/ip.h b/include/net/ip.h
> index 8866bfc..f0e8d06 100644
> --- a/include/net/ip.h
> +++ b/include/net/ip.h
> @@ -667,6 +667,8 @@ static
sertions(+), 4 deletions(-)
Reviewed-by: Paul Moore
> diff --git a/include/net/icmp.h b/include/net/icmp.h
> index 6ac3a5b..e0f709d 100644
> --- a/include/net/icmp.h
> +++ b/include/net/icmp.h
> @@ -22,6 +22,7 @@
>
> #include
> #include
> +#include
>
> str
g things to threads sometimes, and obscured the subject
line), however, I did look at the content of patch before giving it my
thumbs up. Claiming the email wasn't read isn't correct (although you
could rightly argue I didn't read the subject line), or I'm "rubber
stamping crap" isn't correct.
--
paul moore
www.paul-moore.com
y the netlbl_bitmap_walk() patch to
cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before
Linux v4.8.
Reported-by: Jann Horn
Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the
NetLabel core.&qu
> + if (rc != 0) {
> + netlbl_secattr_free(secattr);
> + }
This is likely going to cause a problem as the
sock->sk_security->nlbl_secattr still has a reference to the secattr
pointer you are releasing here. Assuming things are working correctly
elsewhere, I believe freeing secattr here will result in a double free
when the network stacks cleans up after the failed socket creation
(via the sock_release() call in the error handling code).
It looks like you may have found this via a test tool (syzbot?), do
you have a reproducer you can share?
--
paul moore
www.paul-moore.com
On Fri, Mar 8, 2019 at 1:31 AM maowenan wrote:
> On 2019/3/8 4:36, Paul Moore wrote:
> > On Wed, Mar 6, 2019 at 9:44 PM Mao Wenan wrote:
> >>
> >> If netlbl_sock_setattr() is failed, it directly returns rc and forgets
> >> to free secattr.
> >>
&
m -net trees.
For patches that warrant inclusion in -stable, I merge them into the
current selinux/stable-X.Y and send it up to Linus once it passes some
basic sanity tests. Since we're still only half-way through the merge
window, and this is an obvious bug fix, I think this qualifies as
-stable material.
I'm traveling at the moment with not-so-great connectivity, but I'll
get this merged and verified early next week.
--
paul moore
www.paul-moore.com
On Fri, Mar 8, 2019 at 9:47 PM Paul Moore wrote:
> On Fri, Mar 8, 2019 at 12:08 PM Marcelo Ricardo Leitner
> wrote:
> > On Sat, Mar 09, 2019 at 12:07:34AM +0800, Xin Long wrote:
> > > As does in __sctp_connect(), when checking addrs in a while loop, after
> > >
t; somehow re-use shutdown() stuff? It gets very confusing, and after
> > all, it still is, in essence, a connect() syscall.
>
> The function checks CONNECT permission on entry, before reaching this
> point. This logic is only in preparation for a further check
> (NAME_CONNECT) on the port. In this case, there is no further check to
> perform and we can just return.
I agree with Stephen, in the connect(AF_UNSPEC) case the right thing
to do is to simply return with no error.
I would also suggest that since this patch only touches the SELinux
code it really should go in via the SELinux tree and not netdev; this
will help avoid merge conflicts in the linux-next tree and during the
merge window. I think the right thing to do at this point is to
create a revert patch (or have DaveM do it, I'm not sure what he
prefers in situations like this) for this commit, make the adjustments
that Stephen mentioned and submit them for the SELinux tree.
Otherwise, thanks for catching this and submitting a fix :)
--
paul moore
www.paul-moore.com
On Thu, May 9, 2019 at 4:40 AM Paolo Abeni wrote:
> On Wed, 2019-05-08 at 17:17 -0400, Paul Moore wrote:
> > On Wed, May 8, 2019 at 2:55 PM Stephen Smalley wrote:
> > > On 5/8/19 2:27 PM, Marcelo Ricardo Leitner wrote:
> > > > On Wed, May 08, 2019 at 02:13:17P
to ipv6_renew_option() and have it
> do this pointer dance instead?
>
> That's going to definitely be easier to read.
I agree, that struck me as a little odd. I'll rework that too. I'll
send you guys something this week to take a look at.
Thanks.
> I don't know
From: Paul Moore
At present the ipv6_renew_options_kern() function ends up calling into
access_ok() which is problematic if done from inside an interrupt as
access_ok() calls WARN_ON_IN_IRQ() on some (all?) architectures
(x86-64 is affected). Example warning/backtrace is shown below:
WARNING
d->state >= SCTP_STATE_ESTABLISHED)
> + err = -EISCONN;
> + else
> + err = -EALREADY;
> + goto free;
> }
>
> - /* If the SCTP_INIT ancillary data is specified, set all
> - * the association init values accordingly.
> - */
> - if (sinit) {
> - if (sinit->sinit_num_ostreams) {
> - __u16 outcnt = sinit->sinit_num_ostreams;
> -
> - asoc->c.sinit_num_ostreams = outcnt;
> - /* outcnt has been changed, so re-init stream
> */
> - err = sctp_stream_init(&asoc->stream, outcnt,
> 0,
> - GFP_KERNEL);
> - if (err)
> - goto out_free;
> - }
> - if (sinit->sinit_max_instreams) {
> - asoc->c.sinit_max_instreams =
> - sinit->sinit_max_instreams;
> - }
> - if (sinit->sinit_max_attempts) {
> - asoc->max_init_attempts
> - = sinit->sinit_max_attempts;
> - }
> - if (sinit->sinit_max_init_timeo) {
> - asoc->max_init_timeo =
> -
> msecs_to_jiffies(sinit->sinit_max_init_timeo);
> - }
> + if (sctp_endpoint_is_peeled_off(ep, daddr)) {
> + err = -EADDRNOTAVAIL;
> + goto free;
> }
>
> - /* Prime the peer's transport structures. */
> - transport = sctp_assoc_add_peer(asoc, &to, GFP_KERNEL,
> SCTP_UNKNOWN);
> + transport = sctp_assoc_add_peer(asoc, daddr, GFP_KERNEL,
> + SCTP_UNKNOWN);
> if (!transport) {
> err = -ENOMEM;
> - goto out_free;
> + goto free;
> }
> }
>
--
paul moore
www.paul-moore.com
On Wed, Feb 21, 2018 at 3:45 PM, Paul Moore wrote:
> On February 21, 2018 9:33:51 AM Marcelo Ricardo Leitner
> wrote:
>> On Tue, Feb 20, 2018 at 07:15:27PM +, Richard Haines wrote:
>>> Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
>>
On Thu, Feb 22, 2018 at 9:40 PM, Marcelo Ricardo Leitner
wrote:
> On Thu, Feb 22, 2018 at 06:08:05PM -0500, Paul Moore wrote:
>> On Wed, Feb 21, 2018 at 3:45 PM, Paul Moore wrote:
>> > On February 21, 2018 9:33:51 AM Marcelo Ricardo Leitner
>> > wrote:
>> >
uct sock *sk, char
> __user *optval, unsigned
> if (val) {
> int min_len, max_len;
>
> - min_len = SCTP_DEFAULT_MINSEGMENT -
> sp->pf->af->net_header_len;
> + min_len = SCTP_DEFAULT_MINSEGMENT - af->net_header_len;
> + min_len -= af->ip_options_len(sk);
> min_len -= sizeof(struct sctphdr) +
>sizeof(struct sctp_data_chunk);
>
> @@ -3175,7 +3177,8 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char
> __user *optval, unsigned
> asoc = sctp_id2assoc(sk, params.assoc_id);
> if (asoc) {
> if (val == 0) {
> - val = asoc->pathmtu - sp->pf->af->net_header_len;
> + val = asoc->pathmtu - af->net_header_len;
> + val -= af->ip_options_len(sk);
> val -= sizeof(struct sctphdr) +
>sctp_datachk_len(&asoc->stream);
> }
> @@ -5087,9 +5090,11 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id,
> struct socket **sockp)
> sctp_copy_sock(sock->sk, sk, asoc);
>
> /* Make peeled-off sockets more like 1-1 accepted sockets.
> -* Set the daddr and initialize id to something more random
> +* Set the daddr and initialize id to something more random and also
> +* copy over any ip options.
> */
> sp->pf->to_sk_daddr(&asoc->peer.primary_addr, sk);
> + sp->pf->copy_ip_options(sk, sock->sk);
>
> /* Populate the fields of the newsk from the oldsk and migrate the
> * asoc to the newsk.
> --
> 2.14.3
>
--
paul moore
www.paul-moore.com
was the only failure, or did you just run the
connect01 test? Either answer is fine, I'm just trying to understand
the scope of the regression.
Richard, are you able to look into this? If not, let me know and I'll
dig a bit deeper (I'll likely take a quick look today, but if the
failure is subtle it might require some digging).
--
paul moore
www.paul-moore.com
On Thu, Mar 1, 2018 at 9:36 AM, Richard Haines
wrote:
> On Thu, 2018-03-01 at 08:42 -0500, Paul Moore wrote:
>> On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell > rg> wrote:
>> > Hi,
>> >
>> > I was running LTP's testcase connect01 [1] and found a re
On March 1, 2018 9:36:37 AM Richard Haines
wrote:
> On Thu, 2018-03-01 at 08:42 -0500, Paul Moore wrote:
>> On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell > rg> wrote:
>> > Hi,
>> >
>> > I was running LTP's testcase connect01 [1] and found a re
On Thu, Mar 1, 2018 at 3:01 PM, Anders Roxell wrote:
> On 1 March 2018 at 14:42, Paul Moore wrote:
>> On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell
>> wrote:
>>> Hi,
>>>
>>> I was running LTP's testcase connect01 [1] and found a regression in
&
other tit-for-tat games to circumvent the basic checks.
FYI, I think you may have a problem with something in your outgoing
mail path; I didn't receive the original patchset you are referencing
and it doesn't appear in the mail archive either.
--
paul moore
www.paul-moore.com
On Fri, Mar 2, 2018 at 1:23 PM, Matthew Wilcox wrote:
> On Fri, Mar 02, 2018 at 10:48:42AM -0500, Paul Moore wrote:
>> On Thu, Mar 1, 2018 at 8:41 PM, Richard Guy Briggs wrote:
>> > On 2018-03-01 14:41, Richard Guy Briggs wrote:
>> FYI, I think you may have a proble
On Fri, Mar 2, 2018 at 2:25 PM, Paul Moore wrote:
> On Fri, Mar 2, 2018 at 1:23 PM, Matthew Wilcox wrote:
>> On Fri, Mar 02, 2018 at 10:48:42AM -0500, Paul Moore wrote:
>>> On Thu, Mar 1, 2018 at 8:41 PM, Richard Guy Briggs wrote:
>>> > On 2018-03-01 14:41, Richar
+ break;
> + default:
> + /* Note that SCTP services expect -EINVAL, whereas
> +* others expect -EAFNOSUPPORT.
> + */
> + if (sksec->sclass == SECCLASS_SCTP_SOCKET)
> + return -EINVAL;
> + else
> + return -EAFNOSUPPORT;
> }
>
> err = sel_netport_sid(sk->sk_protocol, snum, &sid);
> --
> 2.14.3
>
--
paul moore
www.paul-moore.com
_isset().
>> +{
>> + return audit_get_containerid(tsk) != INVALID_CID;
>> +}
--
paul moore
www.paul-moore.com
From: Paul Moore
Starting with v4.16-rc1 we've been seeing a higher than usual number
of requests for the kernel to load networking modules, even on events
which shouldn't trigger a module load (e.g. ioctl(TCGETS)). Stephen
Smalley suggested the problem may lie in commit 44
On Tue, Mar 6, 2018 at 5:27 PM, Paul Moore wrote:
> From: Paul Moore
>
> Starting with v4.16-rc1 we've been seeing a higher than usual number
> of requests for the kernel to load networking modules, even on events
> which shouldn't trigger a module load (e.g. ioctl(TCG
On Tue, Mar 6, 2018 at 6:59 PM, Stephen Hemminger
wrote:
> On Tue, 06 Mar 2018 17:27:44 -0500
> Paul Moore wrote:
>> From: Paul Moore
>>
>> Starting with v4.16-rc1 we've been seeing a higher than usual number
>> of requests for the kernel to load networki
as
> being submitted.
The selinux/next branch is based on v4.16-rc1 and doesn't feed into
the netdev tree, it goes straight to Linus during the merge window so
unfortunately I think we may need to carry this for some time and
relay this fix-up patch up to Linus during the merge window.
--
paul moore
www.paul-moore.com
On Wed, Mar 7, 2018 at 11:41 AM, David Miller wrote:
> From: Paul Moore
> Date: Wed, 7 Mar 2018 11:34:31 -0500
>> On Mon, Mar 5, 2018 at 2:03 AM, Xin Long wrote:
>>> On Mon, Mar 5, 2018 at 9:40 AM, Stephen Rothwell
>>> wrote:
>>>> Hi Paul,
>>
On Wed, Mar 7, 2018 at 12:45 PM, David Miller wrote:
> From: Paul Moore
> Date: Wed, 7 Mar 2018 12:27:52 -0500
>
>> I'm not sure we could have cleanly separated the core network stack
>> changes from the rest of the SELinux/SCTP enablement, regardless it's
>>
On Wed, Mar 7, 2018 at 3:26 PM, David Miller wrote:
> From: Paul Moore
> Date: Wed, 7 Mar 2018 15:20:33 -0500
>
>>> So you would only have to wait until my tree went in before
>>> sending your pull request.
>>
>> So you would want me to rebase selinux/next
1 - 100 of 639 matches
Mail list logo