| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Nov 2010 17:04:49 +0100 From: Patrick McHardy <kaber@...sh.net> To: Eric Paris <eparis@...hat.com> CC: Hua Zhong <hzhong@...il.com>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, davem@...emloft.net, kuznet@....inr.ac.ru, pekkas@...core.fi, jmorris@...ei.org, yoshfuji@...ux-ipv6.org Subject: Re: [RFC PATCH] network: return errors if we know tcp_connect failed On 15.11.2010 16:57, Patrick McHardy wrote: > On 15.11.2010 16:47, Eric Paris wrote: >>> iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset >>> >>> The second one will cause a hard error for the connection. >> >> Well I'm (I guess?) surprised that the --reject-with icmp doesn't do >> anything with a local outgoing connection but --reject-with tcp-reset >> does something like what I'm looking for. >> >> I notice the heavy lifting for this is done in >> net/ipv4/netfilter/ipt_REJECT.c::send_rest() >> (and something very similar for IPv6) >> >> I really don't want to duplicate that code into SELinux (for obvious >> reasons) and I'm wondering if anyone has objections to me making it >> available outside of netlink and/or suggestions on how to make that code >> available outside of netfilter (aka what header to expose it, and does >> it still make logical sense in ipt_REJECT.c or somewhere else?) > > I don't think having SELinux sending packets to handle local > connections is a very elegant design, its not a firewall after > all. What's wrong with reacting only to specific errno codes > in tcp_connect()? You could f.i. return -ECONNREFUSED from > SELinux, that one is pretty much guaranteed not to occur in > the network stack itself and can be returned directly. One more note: there is also the problem that the RST might never reach the socket, f.i. because netfilter drops it, or TC actions reroute it etc. With netfilter users are expected to make sure the entire combination of network features does what the expect, but that's probably not what you want for SELinux. > That would need minor changes to nf_hook_slow so we can > encode errno values in the upper 16 bits of the verdict, > as we already do with the queue number. The added benefit > is that we don't have to return EPERM anymore when f.i. > rerouting fails. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists