lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1458832.5C3jQy5BFx@sifl>
Date:	Fri, 01 Jun 2012 09:14:19 -0400
From:	Paul Moore <pmoore@...hat.com>
To:	David Miller <davem@...emloft.net>
Cc:	netdev@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH] cipso: handle CIPSO options correctly when NetLabel is disabled

On Thursday, May 31, 2012 07:07:05 PM David Miller wrote:
> From: Paul Moore <pmoore@...hat.com>
> Date: Thu, 31 May 2012 16:09:23 -0400
> 
> > When NetLabel is not enabled, e.g. CONFIG_NETLABEL=n, and the system
> > receives a CIPSO tagged packet it is dropped (cipso_v4_validate()
> > returns non-zero).  In most cases this is the correct and desired
> > behavior, however, in the case where we are simply forwarding the
> > traffic, e.g. acting as a network bridge, this becomes a problem.
> > 
> > This patch fixes the forwarding problem by providing the basic CIPSO
> > validation code directly in ip_options_compile() without the need for
> > the NetLabel or CIPSO code.  The new validation code can not perform
> > any of the CIPSO option label/value verification that
> > cipso_v4_validate() does, but it can verify the basic CIPSO option
> > format.
> > 
> > The behavior when NetLabel is enabled is unchanged.
> > 
> > Signed-off-by: Paul Moore <pmoore@...hat.com>
> 
> I don't like this at all.
> 
> The only conclusion I can come to is that cipso_v4_validate() is doing
> the wrong thing when NETLABEL is disabled.
> 
> There is never a good reason to crap all over a function with ifdefs.
> This is especially true when it's being done to paper over a function
> with poor semantics.
> 
> The whole idea is to abstract and put all of this kind of logic into
> cipso_v4_validate().

I originally had the #ifdef'd code in the non-CONFIG_NETLABEL 
cipso_v4_validate() in include/net/cipso_ipv4.h but thought it was too much 
code to put there.  No worries, I'll just move it back and resubmit.

-- 
paul moore
security and virtualization @ redhat

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ