lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 18 Feb 2009 08:23:24 +0100
From:	etienne <etienne.basset@...ericable.fr>
To:	Paul Moore <paul.moore@...com>
CC:	Casey Schaufler <casey@...aufler-ca.com>,
	Linux-Kernel <linux-kernel@...r.kernel.org>,
	linux-security-module@...r.kernel.org
Subject: Re: [PATCH] SMACK netfilter smacklabel socket match

Paul Moore wrote:
> On Tuesday 17 February 2009 03:01:15 pm etienne wrote:
>> I realize this patch is a little ugly, a cleaner way would be to insert 
>> struct smk_netlbladdr sorted from longest to smallest mask and break the
>> loop as soon as we have a match... regards,
> 
> Agreed, the address matching code really should be improved; if you feel like 
> you could contribute the changes I'm pretty sure Casey would welcome the 
> patches :)
> 
yes I could try that, this week-end maybe

> Regarding your fix below, I think a cleaner solution would be to do something 
> like the following in place of the existing mask check ...
> 
> 	if ((miap->s_addr & bestmask.s_addr) || (bestmask.s_addr == 0)) {
> 		bestmask.s_addr = miap->s_addr;
> 		bestlabel = snp->smk_label;
> 	}	
> 
> ... however there is one small problem with this approach (your proposal 
> suffers from the same issue): normally the smack_host_label() code prefers the 
> first matching entry in the list, the change above preserves that with the 
> exception of a 0.0.0.0/0 entry.  Granted, you shouldn't allow that in the 
> first place but I believe it is possible so it is something that needs to be 
> taken into consideration.
> 
hummm... I didn't see it that way; I think this function is basically a reimplementation of IPv4 classless routing (longest match first)?
anyway, I think the cleanest way would be to, well, sort smk_netlbladdr by mask on insertion (perf doesn't matter  here) and this way smack_host_label can stop the loop on first match.
Plus, it would give a nicer /smack/netlabel ouptut :)

so, how should we handle it? apply the patches (with whitespaces damages corrected ;) )  now (as it corrects a bug) an elaborate the cleaner way later?
I think this should go to stable too?

regards
Etienne

>> Signed-off-by: Etienne <etienne.basset@...ericable.fr>
>> ------
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index 0278bc0..9d2576d 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -1540,7 +1540,7 @@ static char *smack_host_label(struct sockaddr_in
>> *sip) * If the list entry mask is less specific than the best * already
>> found this entry is uninteresting.
>>                  */
>> -               if ((miap->s_addr | bestmask.s_addr) == bestmask.s_addr)
>> +               if ( ((miap->s_addr | bestmask.s_addr) == bestmask.s_addr)
>> &&  (miap->s_addr | bestmask.s_addr) != 0  ) continue;
>>                 /*
>>                  * This is better than any entry found so far.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ