lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 5 Sep 2020 23:11:21 -0400 From: Paul Moore <paul@...l-moore.com> To: Casey Schaufler <casey@...aufler-ca.com> Cc: casey.schaufler@...el.com, James Morris <jmorris@...ei.org>, linux-security-module@...r.kernel.org, selinux@...r.kernel.org, linux-audit@...hat.com, keescook@...omium.org, john.johansen@...onical.com, penguin-kernel@...ove.sakura.ne.jp, Stephen Smalley <sds@...ho.nsa.gov>, netdev@...r.kernel.org Subject: Re: [PATCH v20 17/23] LSM: security_secid_to_secctx in netlink netfilter On Wed, Aug 26, 2020 at 11:20 AM Casey Schaufler <casey@...aufler-ca.com> wrote: > > Change netlink netfilter interfaces to use lsmcontext > pointers, and remove scaffolding. > > Reviewed-by: Kees Cook <keescook@...omium.org> > Reviewed-by: John Johansen <john.johansen@...onical.com> > Acked-by: Stephen Smalley <sds@...ho.nsa.gov> > Signed-off-by: Casey Schaufler <casey@...aufler-ca.com> > cc: netdev@...r.kernel.org > --- > net/netfilter/nfnetlink_queue.c | 31 ++++++++++++------------------- > 1 file changed, 12 insertions(+), 19 deletions(-) ... > diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c > index d3f8e808c5d3..c830401f7792 100644 > --- a/net/netfilter/nfnetlink_queue.c > +++ b/net/netfilter/nfnetlink_queue.c > @@ -401,8 +399,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, > enum ip_conntrack_info ctinfo; > struct nfnl_ct_hook *nfnl_ct; > bool csum_verify; > - struct lsmcontext scaff; /* scaffolding */ > - char *secdata = NULL; > + struct lsmcontext context = { }; > u32 seclen = 0; > > size = nlmsg_total_size(sizeof(struct nfgenmsg)) > @@ -469,7 +466,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, > } > > if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) { > - seclen = nfqnl_get_sk_secctx(entskb, &secdata); > + seclen = nfqnl_get_sk_secctx(entskb, &context); > if (seclen) > size += nla_total_size(seclen); > } I think we can get rid of the local "seclen" variable, right? We can embed the nfqnl_get_sk_secctx() in the conditional and then simply reference "context.len" everywhere else, yes? For example: if (nfqnl_get_sk_secctx(..., &context)) size += nla_total_size(context.len); -- paul moore www.paul-moore.com
Powered by blists - more mailing lists