| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e7ec908e-01c1-b76d-f797-545b70a49075@tycho.nsa.gov>
Date: Mon, 13 Jan 2020 08:47:00 -0500
From: Stephen Smalley <sds@...ho.nsa.gov>
To: Huaisheng Ye <yehs2007@...o.com>, paul@...l-moore.com,
eparis@...isplace.org, jmorris@...ei.org, serge@...lyn.com
Cc: tyu1@...ovo.com, linux-security-module@...r.kernel.org,
selinux@...r.kernel.org, linux-kernel@...r.kernel.org,
Huaisheng Ye <yehs1@...ovo.com>
Subject: Re: [PATCH] selinux: remove redundant selinux_nlmsg_perm
On 1/12/20 10:42 AM, Huaisheng Ye wrote:
> From: Huaisheng Ye <yehs1@...ovo.com>
>
> selinux_nlmsg_perm is used for only by selinux_netlink_send. Remove
> the redundant function to simplify the code.
>
> Signed-off-by: Huaisheng Ye <yehs1@...ovo.com>
The patch itself seems fine but it looks like someone accidentally put
pig= in the log message when they meant pid=; that can be fixed via a
separate patch.
Acked-by: Stephen Smalley <sds@...ho.nsa.gov>
> ---
> security/selinux/hooks.c | 73 ++++++++++++++++++++++--------------------------
> 1 file changed, 34 insertions(+), 39 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index fb1b9da..9f3f966 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5507,44 +5507,6 @@ static int selinux_tun_dev_open(void *security)
> return 0;
> }
>
> -static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
> -{
> - int err = 0;
> - u32 perm;
> - struct nlmsghdr *nlh;
> - struct sk_security_struct *sksec = sk->sk_security;
> -
> - if (skb->len < NLMSG_HDRLEN) {
> - err = -EINVAL;
> - goto out;
> - }
> - nlh = nlmsg_hdr(skb);
> -
> - err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
> - if (err) {
> - if (err == -EINVAL) {
> - pr_warn_ratelimited("SELinux: unrecognized netlink"
> - " message: protocol=%hu nlmsg_type=%hu sclass=%s"
> - " pig=%d comm=%s\n",
> - sk->sk_protocol, nlh->nlmsg_type,
> - secclass_map[sksec->sclass - 1].name,
> - task_pid_nr(current), current->comm);
> - if (!enforcing_enabled(&selinux_state) ||
> - security_get_allow_unknown(&selinux_state))
> - err = 0;
> - }
> -
> - /* Ignore */
> - if (err == -ENOENT)
> - err = 0;
> - goto out;
> - }
> -
> - err = sock_has_perm(sk, perm);
> -out:
> - return err;
> -}
> -
> #ifdef CONFIG_NETFILTER
>
> static unsigned int selinux_ip_forward(struct sk_buff *skb,
> @@ -5873,7 +5835,40 @@ static unsigned int selinux_ipv6_postroute(void *priv,
>
> static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
> {
> - return selinux_nlmsg_perm(sk, skb);
> + int err = 0;
> + u32 perm;
> + struct nlmsghdr *nlh;
> + struct sk_security_struct *sksec = sk->sk_security;
> +
> + if (skb->len < NLMSG_HDRLEN) {
> + err = -EINVAL;
> + goto out;
> + }
> + nlh = nlmsg_hdr(skb);
> +
> + err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
> + if (err) {
> + if (err == -EINVAL) {
> + pr_warn_ratelimited("SELinux: unrecognized netlink"
> + " message: protocol=%hu nlmsg_type=%hu sclass=%s"
> + " pig=%d comm=%s\n",
> + sk->sk_protocol, nlh->nlmsg_type,
> + secclass_map[sksec->sclass - 1].name,
> + task_pid_nr(current), current->comm);
> + if (!enforcing_enabled(&selinux_state) ||
> + security_get_allow_unknown(&selinux_state))
> + err = 0;
> + }
> +
> + /* Ignore */
> + if (err == -ENOENT)
> + err = 0;
> + goto out;
> + }
> +
> + err = sock_has_perm(sk, perm);
> +out:
> + return err;
> }
>
> static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
>
Powered by blists - more mailing lists