From: richard_c_haines@btinternet.com (Richard Haines)
To: linux-security-module@vger.kernel.org
Subject: [GIT PULL] SELinux patches for v4.17
Date: Sun, 08 Apr 2018 19:59:15 +0100 [thread overview]
Message-ID: <1523213955.3552.9.camel@btinternet.com> (raw)
In-Reply-To: <CADvbK_eFNkA5uJ36sBEFxWnWXLOPwKyvgUuTHJG96g0zxOwPLg@mail.gmail.com>
On Mon, 2018-04-09 at 01:43 +0800, Xin Long wrote:
> On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote:
> > > On April 7, 2018 1:03:57 PM Linus Torvalds <torvalds@linux-founda
> > > tion
> > > .org> wrote:
> > > On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
> > > <richard_c_haines@btinternet.com> wrote:
> > >
> > > So please check my resolution, but also somebody should tell me
> > > "Linus, you're a cretin, sctp_connect() doesn't want that
> > > security_sctp_bind_connect() at all because it was already done
> > > by
> > > XYZ"
> > >
> > > sctp_connect() or __sctp_connect() do not need to call
> > > security_sctp_bind_connect(). This is because the connect(2) call
> > > will
> > > handle the checks required via security_socket_connect():
> > >
> > > Ok, thanks, that's exactly what I wanted to get.
> > >
> > > Anyway, somebody should still verify that it all looks good in my
> > > tree, but I don't actually expect the merge to have had any
> > > issues
> > > even if the refactoring made it a bit more complex than most
> > > merges
> > > are.
> > >
> > > Thanks for the quick response Richard.
> > >
> > > Xin Long looked it over and gave it the thumbs up, I'll take a
> > > look
> > > too, but to be honest I trust his SCTP understanding much more
> > > than
> > > mine. I also do weekly tests of each rcX release at a minimum so
> > > if
> > > something odd pops up I'll make sure you get a fix.
> > >
> > > Thanks again everyone.
> >
> > I built the kernel this morning and sorry to spoil the party, but
> > I've
> > run into a problem with lksctp-tools when running the func_tests:
> >
> > make v6test
> > ..
> > ..
> > ./test_timetolive_v6
> > test_timetolive.c 0 INFO : Creating fillmsg of size 3087
> > test_timetolive.c 1 PASS : Send a message with timeout
> > test_timetolive.c 2 PASS : Send a message with no timeout
> > test_timetolive.c 3 PASS : Send a fragmented message with timeout
> > test_timetolive.c 0 INFO : ** SLEEPING for 3 seconds **
> > test_timetolive.c 4 BROK : Got a datamsg of unexpected length:23,
> > expected length:27
> > DUMP_CORE sctputil.c: 247
> > /bin/sh: line 1: 30981 Segmentation fault (core dumped) ./$a
> > test_timetolive_v6 fails
> >
> > make v4 test fails the same way. I'm using lksctp-tools from [1]. I
> > have not investigated the cause yet as just found this and thought
> > I
> > should flag first just in case someone has the answer !!!
>
> test_timetolive(_v6) works for me, In lksctp-tools/src/func_tests, I
> had
> another case failed,./test_1_to_1_events, it's caused by:
> commit 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b
> Author: Xin Long <lucien.xin@gmail.com>
> Date: Wed Mar 14 19:05:34 2018 +0800
>
> sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT
>
> It's not kernel's issue, after that commit, ./test_1_to_1_events
> should
> have been improved. or avoid it by 'sysctl -w net.sctp.auth_enable=1'
>
> I'm not sure why test_timetolive(_v6) is not working in your env.
It appears to depend on the run sequence of the tests. I rebooted the
system, ran test_timetolive_v6, it worked okay.
Ran "sctp-tests run" on a terminal, then ran test_timetolive_v6 at
various intervals on another terminal. Once sctp-tests started the "===
ndatasched ===" sequence, test_timetolive_v6 failed.
>
> >
> > On the bright side, I've run the sctp-tests from [2] with no
> > problems
> > and also the selinux-testsuite with my SCTP patch from [3] using an
> > updated Fedora policy from [4] (with sctp support added), all in
> > enforcing mode.
> >
> > Also the LTP test passed:
> > cd /opt/ltp/
> > cat runtest/syscalls |grep connect01>runtest/connect-syscall
> > ./runltp -pq -f connect-syscall
> > ....
> >
> > [1] https://github.com/sctp/lksctp-tools
> > [2] https://github.com/sctp/sctp-tests
> > [3] https://marc.info/?l=selinux&m=152156947715709&w=2
> > [4] https://github.com/fedora-selinux/selinux-policy
> >
> >
> > >
> > > --
> > > paul moore
> > > www.paul-moore.com
> > >
> > >
> > >
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-
> security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Richard Haines <richard_c_haines@btinternet.com>
To: Xin Long <lucien.xin@gmail.com>
Cc: Paul Moore <paul@paul-moore.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
selinux@tycho.nsa.gov,
LSM List <linux-security-module@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [GIT PULL] SELinux patches for v4.17
Date: Sun, 08 Apr 2018 19:59:15 +0100 [thread overview]
Message-ID: <1523213955.3552.9.camel@btinternet.com> (raw)
In-Reply-To: <CADvbK_eFNkA5uJ36sBEFxWnWXLOPwKyvgUuTHJG96g0zxOwPLg@mail.gmail.com>
On Mon, 2018-04-09 at 01:43 +0800, Xin Long wrote:
> On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote:
> > > On April 7, 2018 1:03:57 PM Linus Torvalds <torvalds@linux-founda
> > > tion
> > > .org> wrote:
> > > On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
> > > <richard_c_haines@btinternet.com> wrote:
> > >
> > > So please check my resolution, but also somebody should tell me
> > > "Linus, you're a cretin, sctp_connect() doesn't want that
> > > security_sctp_bind_connect() at all because it was already done
> > > by
> > > XYZ"
> > >
> > > sctp_connect() or __sctp_connect() do not need to call
> > > security_sctp_bind_connect(). This is because the connect(2) call
> > > will
> > > handle the checks required via security_socket_connect():
> > >
> > > Ok, thanks, that's exactly what I wanted to get.
> > >
> > > Anyway, somebody should still verify that it all looks good in my
> > > tree, but I don't actually expect the merge to have had any
> > > issues
> > > even if the refactoring made it a bit more complex than most
> > > merges
> > > are.
> > >
> > > Thanks for the quick response Richard.
> > >
> > > Xin Long looked it over and gave it the thumbs up, I'll take a
> > > look
> > > too, but to be honest I trust his SCTP understanding much more
> > > than
> > > mine. I also do weekly tests of each rcX release at a minimum so
> > > if
> > > something odd pops up I'll make sure you get a fix.
> > >
> > > Thanks again everyone.
> >
> > I built the kernel this morning and sorry to spoil the party, but
> > I've
> > run into a problem with lksctp-tools when running the func_tests:
> >
> > make v6test
> > ..
> > ..
> > ./test_timetolive_v6
> > test_timetolive.c 0 INFO : Creating fillmsg of size 3087
> > test_timetolive.c 1 PASS : Send a message with timeout
> > test_timetolive.c 2 PASS : Send a message with no timeout
> > test_timetolive.c 3 PASS : Send a fragmented message with timeout
> > test_timetolive.c 0 INFO : ** SLEEPING for 3 seconds **
> > test_timetolive.c 4 BROK : Got a datamsg of unexpected length:23,
> > expected length:27
> > DUMP_CORE sctputil.c: 247
> > /bin/sh: line 1: 30981 Segmentation fault (core dumped) ./$a
> > test_timetolive_v6 fails
> >
> > make v4 test fails the same way. I'm using lksctp-tools from [1]. I
> > have not investigated the cause yet as just found this and thought
> > I
> > should flag first just in case someone has the answer !!!
>
> test_timetolive(_v6) works for me, In lksctp-tools/src/func_tests, I
> had
> another case failed,./test_1_to_1_events, it's caused by:
> commit 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b
> Author: Xin Long <lucien.xin@gmail.com>
> Date: Wed Mar 14 19:05:34 2018 +0800
>
> sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT
>
> It's not kernel's issue, after that commit, ./test_1_to_1_events
> should
> have been improved. or avoid it by 'sysctl -w net.sctp.auth_enable=1'
>
> I'm not sure why test_timetolive(_v6) is not working in your env.
It appears to depend on the run sequence of the tests. I rebooted the
system, ran test_timetolive_v6, it worked okay.
Ran "sctp-tests run" on a terminal, then ran test_timetolive_v6 at
various intervals on another terminal. Once sctp-tests started the "===
ndatasched ===" sequence, test_timetolive_v6 failed.
>
> >
> > On the bright side, I've run the sctp-tests from [2] with no
> > problems
> > and also the selinux-testsuite with my SCTP patch from [3] using an
> > updated Fedora policy from [4] (with sctp support added), all in
> > enforcing mode.
> >
> > Also the LTP test passed:
> > cd /opt/ltp/
> > cat runtest/syscalls |grep connect01>runtest/connect-syscall
> > ./runltp -pq -f connect-syscall
> > ....
> >
> > [1] https://github.com/sctp/lksctp-tools
> > [2] https://github.com/sctp/sctp-tests
> > [3] https://marc.info/?l=selinux&m=152156947715709&w=2
> > [4] https://github.com/fedora-selinux/selinux-policy
> >
> >
> > >
> > > --
> > > paul moore
> > > www.paul-moore.com
> > >
> > >
> > >
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-
> security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-04-08 18:59 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-04 1:37 [GIT PULL] SELinux patches for v4.17 Paul Moore
2018-04-04 1:37 ` Paul Moore
2018-04-06 23:07 ` Linus Torvalds
2018-04-06 23:07 ` Linus Torvalds
2018-04-07 16:54 ` Richard Haines
2018-04-07 16:54 ` Richard Haines
2018-04-07 17:03 ` Linus Torvalds
2018-04-07 17:03 ` Linus Torvalds
2018-04-08 12:50 ` Paul Moore
2018-04-08 12:50 ` Paul Moore
2018-04-08 14:09 ` Richard Haines
2018-04-08 14:09 ` Richard Haines
2018-04-08 17:43 ` Xin Long
2018-04-08 17:43 ` Xin Long
2018-04-08 18:59 ` Richard Haines [this message]
2018-04-08 18:59 ` Richard Haines
2018-04-08 22:44 ` Richard Haines
2018-04-08 22:44 ` Richard Haines
2018-04-09 5:31 ` Xin Long
2018-04-09 5:31 ` Xin Long
2018-04-08 6:13 ` Xin Long
2018-04-08 6:13 ` Xin Long
2018-04-08 12:45 ` Paul Moore
2018-04-08 12:45 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1523213955.3552.9.camel@btinternet.com \
--to=richard_c_haines@btinternet.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.