lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1464903850.5939.178.camel@edumazet-glaptop3.roam.corp.google.com> Date: Thu, 02 Jun 2016 14:44:10 -0700 From: Eric Dumazet <eric.dumazet@...il.com> To: Paul Moore <paul@...l-moore.com> Cc: samanthakumar@...gle.com, linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov, netdev@...r.kernel.org, Stephen Smalley <sds@...ho.nsa.gov> Subject: Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing") On Thu, 2016-06-02 at 17:36 -0400, Paul Moore wrote: > On Wed, Jun 1, 2016 at 4:44 PM, Stephen Smalley <sds@...ho.nsa.gov> wrote: > > On 06/01/2016 03:18 PM, Eric Dumazet wrote: > >> On Wed, 2016-06-01 at 15:01 -0400, Paul Moore wrote: > >>> Hello, > >>> > >>> I'm currently trying to debug a problem with 4.7-rc1 and labeled > >>> networking over UDP. I'm having some difficulty with the latest > >>> 4.7-rc1 builds on my test system at the moment so I haven't been able > >>> to concisely identify the problem, but looking through the commits in > >>> 4.7-rc1 I think there may be a problem with the following: > >>> > >>> commit e6afc8ace6dd5cef5e812f26c72579da8806f5ac > >>> Author: samanthakumar <samanthakumar@...gle.com> > >>> Date: Tue Apr 5 12:41:15 2016 -0400 > >>> > >>> udp: remove headers from UDP packets before queueing > >>> > >>> Remove UDP transport headers before queueing packets for reception. > >>> This change simplifies a follow-up patch to add MSG_PEEK support. > >>> > >>> Signed-off-by: Sam Kumar <samanthakumar@...gle.com> > >>> Signed-off-by: Willem de Bruijn <willemb@...gle.com> > >>> Signed-off-by: David S. Miller <davem@...emloft.net> > >>> > >>> ... it appears that this commit changes things so that sk_filter() is > >>> only called when sk->sk_filter is not NULL. While this is fine for > >>> the traditional socket filter case, it causes problems with LSMs that > >>> make use of security_sock_rcv_skb() to enforce per-packet access > >>> controls. > >>> > >>> Hopefully I'll get 4.7-rc1 booting soon and I can do a proper > >>> bisection test around this patch, but I wanted to mention this now in > >>> case others are seeing the same problem. > >> > >> Thanks for the report. Please try following fix. > >> > >> sk_filter() got additional features like the skb_pfmemalloc() things and > >> security_sock_rcv_skb() > > > > This resolved the SELinux regression for me. > > > > Tested-by: Stephen Smalley <sds@...ho.nsa.gov> > > The patch works for me too. Eric, are you going to send this to DaveM > (assuming he isn't listening in on this thread and picking it up > himself)? > > Tested-by: Paul Moore <paul@...l-moore.com> I am going to send the official patch right away, thanks !
Powered by blists - more mailing lists