| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <51F20DEF.2090108@windriver.com>
Date: Fri, 26 Jul 2013 13:49:35 +0800
From: Fan Du <fan.du@...driver.com>
To: <nicolas.dichtel@...nd.com>,
Hannes Frederic Sowa <hannes@...essinduktion.org>
CC: <davem@...emloft.net>, <yoshfuji@...ux-ipv6.org>,
<jmorris@...ei.org>, <steffen.klassert@...unet.com>,
netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH net-next v3] net: split rt_genid for ipv4 and ipv6
On 2013年07月26日 02:13, Hannes Frederic Sowa wrote:
> On Thu, Jul 25, 2013 at 05:47:12PM +0800, Fan Du wrote:
>> +/* For callers who don't really care about whether it's IPv4 or IPv6 */
>> +static inline void rt_genid_bump_all(struct net *net)
>> +{
>> + atomic_inc(&net->ipv4.rt_genid);
>> +#if IS_ENABLED(CONFIG_IPV6)
>> + atomic_inc(&net->ipv6.rt_genid);
>> +#endif
>
> You could get away with the ifdef if you just do
> rt_genid_bump_ipv4(net);
> rt_genid_bump_ipv6(net);
Ok, will fix this.
>
> Somewhere something does break selinux:
>
> CC security/selinux/hooks.o
> In file included from security/selinux/hooks.c:93:0:
> security/selinux/include/xfrm.h: In function ‘selinux_xfrm_notify_policyload’:
> security/selinux/include/xfrm.h:54:2: error: implicit declaration of function ‘rt_genid_bump’ [-Werror=implicit-function-declaration]
> rt_genid_bump(&init_net);
> ^
> Seems like you have overlooked the rt_genid_bump in
> security/selinux/include/xfrm.h, which should be a rt_genid_bump_all
>
Thanks for report this, my side CONFIG_SECURITY_NETWORK_XFRM is not set before. :(
> Off-topic:
> Is it correct that selinux_xfrm_notify_policyload only bumps genid for
> init_net?
>
This was introduced in ee8372dd1989287c5eedb69d44bac43f69e496f1
"xfrm: invalidate dst on policy insertion/deletion" by Nicolas.
I take a look at SELINUX xfrm part, my limited understanding SELINUX XFRM rule
should take global effect on all net name space in current implementation.
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 65f67cb..4f72d2c 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -50,8 +50,14 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
static inline void selinux_xfrm_notify_policyload(void)
{
+ struct net *net;
+
atomic_inc(&flow_cache_genid);
- rt_genid_bump(&init_net);
+ rtnl_lock();
+ for_each_net(net) {
+ rt_genid_bump_all(net);
+ }
+ rtnl_unlock();
}
#else
static inline int selinux_xfrm_enabled(void)
Let me know if I miss something inside it. Thanks.
> Otherwise I don't see any problems arising from this patch because of
> the rt_genid split.
>
> Greetings,
>
> Hannes
>
>
--
浮沉随浪只记今朝笑
--fan
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists