lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 4 May 2011 11:28:24 +0900 From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> To: paul.moore@...com, sam@...ack.fr Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, hadi@...erus.ca, kaber@...sh.net, zbr@...emap.net, root@...aldomain.pl Subject: Re: [RFC v3 02/10] Revert "lsm: Remove the socket_post_accept() hook" Paul Moore wrote: > On Tuesday, May 03, 2011 10:24:15 AM Samir Bellabes wrote: > > snet needs to reintroduce this hook, as it was designed to be: a hook for > > updating security informations on objects. > > Looking at this and 5/10 again, it seems that you should be able to do what > you need with the sock_graft() hook. Am I missing something? > > My apologies if we've already discussed this approach previously ... static void snet_socket_post_accept(struct socket *sock, struct socket *newsock) { static void snet_do_send_event(struct snet_info *info) { int snet_nl_send_event(struct snet_info *info) { skb_rsp = genlmsg_new(size, GFP_KERNEL); genlmsg_unicast() } } } First problem with using snet_do_send_event() from security_sock_graft() is that we have to use GFP_ATOMIC rather than GFP_KERNEL because we are inside write_lock_bh()/write_unlock_bh(). static inline int genlmsg_unicast(struct net *net, struct sk_buff *skb, u32 pid) { static inline int nlmsg_unicast(struct sock *sk, struct sk_buff *skb, u32 pid) { int netlink_unicast(struct sock *ssk, struct sk_buff *skb, u32 pid, MSG_DONTWAIT) { int netlink_attachskb(struct sock *sk, struct sk_buff *skb, long *timeo, struct sock *ssk) { if (!*timeo) { return -EAGAIN; } } } } Second problem is that genlmsg_unicast() might return -EAGAIN because we can't sleep inside write_lock_bh()/write_unlock_bh(). Third problem (though independent with security_sock_graft()) is that snet_do_send_event() ignores snet_nl_send_event() failure. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists