| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 5 May 2011 10:11:32 -0400
From: Paul Moore <paul.moore@...com>
To: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc: sam@...ack.fr, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
netfilter-devel@...r.kernel.org, hadi@...erus.ca, kaber@...sh.net,
zbr@...emap.net, root@...aldomain.pl
Subject: Re: [RFC v3 02/10] Revert "lsm: Remove the socket_post_accept() hook"
On Tuesday, May 03, 2011 10:28:24 PM Tetsuo Handa wrote:
> Paul Moore wrote:
> > On Tuesday, May 03, 2011 10:24:15 AM Samir Bellabes wrote:
> > > snet needs to reintroduce this hook, as it was designed to be: a hook
> > > for updating security informations on objects.
> >
> > Looking at this and 5/10 again, it seems that you should be able to do
> > what you need with the sock_graft() hook. Am I missing something?
> >
> > My apologies if we've already discussed this approach previously ...
>
> static void snet_socket_post_accept(struct socket *sock, struct socket
> *newsock) {
> static void snet_do_send_event(struct snet_info *info)
> {
> int snet_nl_send_event(struct snet_info *info)
> {
> skb_rsp = genlmsg_new(size, GFP_KERNEL);
> genlmsg_unicast()
> }
> }
> }
>
> First problem with using snet_do_send_event() from security_sock_graft() is
> that we have to use GFP_ATOMIC rather than GFP_KERNEL because we are inside
> write_lock_bh()/write_unlock_bh().
I guess I don't see that as being a blocker ...
> static inline int genlmsg_unicast(struct net *net, struct sk_buff *skb, u32
> pid) {
> static inline int nlmsg_unicast(struct sock *sk, struct sk_buff *skb, u32
> pid) {
> int netlink_unicast(struct sock *ssk, struct sk_buff *skb,
> u32 pid, MSG_DONTWAIT)
> {
> int netlink_attachskb(struct sock *sk, struct sk_buff *skb,
> long *timeo, struct sock *ssk)
> {
> if (!*timeo) {
> return -EAGAIN;
> }
> }
> }
> }
>
> Second problem is that genlmsg_unicast() might return -EAGAIN because we
> can't sleep inside write_lock_bh()/write_unlock_bh().
Ah yes, the real problem. I forgot that snet relied on a user space tool. I
tend to agree with others who have suggested this is not the right approach,
but I understand why you want the post_accept() hook; thanks for reminding me.
--
paul moore
linux @ hp
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists