lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <200905191801.07388.paul.moore@hp.com>
Date:	Tue, 19 May 2009 18:01:06 -0400
From:	Paul Moore <paul.moore@...com>
To:	Eric Paris <eparis@...isplace.org>
Cc:	Eric Paris <eparis@...hat.com>, linux-kernel@...r.kernel.org,
	stable@...nel.org, selinux@...ho.nsa.gov, jmorris@...ei.org,
	sds@...ho.nsa.gov, manoj.iyer@...onical.com
Subject: Re: [PATCH] SELinux: BUG in SELinux compat_net code

On Tuesday 19 May 2009 05:53:52 pm Eric Paris wrote:
> Sometimes I'm an idiot, messed up TWO e-mail addresses....   stable
> and selinux, so I'm hitting both of those lists with this reply...

... and I fell for it too when ack'ing the patch.  I may write buggy code but 
at least I submit it to the write addresses ;)

Anyway, looks good to me.

Acked-by: Paul Moore <paul.moore@...com>

> On Tue, May 19, 2009 at 5:41 PM, Eric Paris <eparis@...hat.com> wrote:
> > This patch is not applicable to Linus's tree as the code in question has
> > been removed for 2.6.30.  I'm sending in case any of the stable
> > maintainers would like to push to their branches (which I think anything
> > pre 2.6.30 would like to do).
> >
> > Ubuntu users were experiencing a kernel panic when they enabled SELinux
> > due to an old bug in our handling of the compatibility mode network
> > controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
> > Most distros have not used the compat_net code since the new code was
> > introduced and so noone has hit this problem before.  Ubuntu is the only
> > distro I know that enabled that legacy cruft by default.  But, I was ask
> > to look at it and found that the above patch changed a call to
> > avc_has_perm from if(send_perm) to if(!send_perm) in
> > selinux_ip_postroute_iptables_compat().  The result is that users who
> > turn on SELinux and have compat_net set can (and oftern will) BUG() in
> > avc_has_perm_noaudit since they are requesting 0 permissions.
> >
> > This patch corrects that accidental bug introduction.
> >
> > Signed-off-by: Eric Paris <eparis@...hat.com>
> >
> > ---
> >
> >  security/selinux/hooks.c |    2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff -up linux-source-2.6.28/security/selinux/hooks.c.pre.send
> > linux-source-2.6.28/security/selinux/hooks.c ---
> > linux-source-2.6.28/security/selinux/hooks.c.pre.send       2009-05-18
> > 13:23:16.043632602 -0400 +++ linux-source-2.6.28/security/selinux/hooks.c
> >        2009-05-18 13:23:27.899632772 -0400 @@ -4561,7 +4561,7 @@ static
> > int selinux_ip_postroute_iptables
> >        if (err)
> >                return err;
> >
> > -       if (send_perm != 0)
> > +       if (!send_perm)
> >                return 0;
> >
> >        err = sel_netport_sid(sk->sk_protocol,
> >
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel"
> > in the body of a message to majordomo@...r.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at  http://www.tux.org/lkml/

-- 
paul moore
linux @ hp

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ