From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>,
lkml <linux-kernel@vger.kernel.org>,
SELinux@tycho.nsa.gov, Ingo Molnar <mingo@redhat.com>,
netdev@oss.sgi.com, linux-net@vger.kernel.org
Subject: Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity
Date: Fri, 8 Oct 2004 10:31:54 +0100 [thread overview]
Message-ID: <20041008093154.GA5089@lkcl.net> (raw)
In-Reply-To: <1097157367.13339.38.camel@moss-spartans.epoch.ncsc.mil>
On Thu, Oct 07, 2004 at 09:56:07AM -0400, Stephen Smalley wrote:
> On Thu, 2004-10-07 at 01:42, Valdis.Kletnieks@vt.edu wrote:
> > audit(1097111349.727:0): avc: denied { tcp_recv } for pid=2 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=59639 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:netif_lo_t tclass=netif
> > audit(1097111349.754:0): avc: denied { tcp_recv } for pid=2 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=59639 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:node_lo_t tclass=node
> > audit(1097111349.782:0): avc: denied { recv_msg } for pid=2 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=59639 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket
> >
> > At least for the recv_msg error, I *think* the message is generated because
> > when we get into net/socket.c, we call security_socket_recvmsg() in
> > __recv_msg() - and (possibly only when we have the VP patch applied?) at that
> > point we're in a softirqd context rather than the context of the process that
> > will finally receive the packet, so the SELinux code ends up checking the wrong
> Valdis,
>
> These permission checks are based on the receiving socket security
> context, not any process security context, and are performed by the
> sock_rcv_skb hook when mediating packet receipt on a socket. The
> auxiliary pid and comm or exe information is meaningless for such
> checks. avc_audit could possibly be modified to check whether we are in
> softirq and omit them in those cases from the audit messages.
> This has
> been discussed previously on the selinux mailing list, please see the
> archives.
an alternative possible solution is to get the packet _out_ from
the interrupt context and have the aux pid comm exe information added.
as i understand it "a" possible way to do that would be to have a
userspace ip_queue which simply marks the packet as "seen it" and then
does "now please reprocess it".
by the time that packets get to ip_queue in userspace, they will have
had their aix pid comm exe info added (and the file sock stuff).
alternatively, someone could spend a lot of their time doing exactly
the same thing in kernel-space.
l.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>,
lkml <linux-kernel@vger.kernel.org>,
SELinux@tycho.nsa.gov, Ingo Molnar <mingo@redhat.com>,
netdev@oss.sgi.com, linux-net@vger.kernel.org
Subject: Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity
Date: Fri, 8 Oct 2004 10:31:54 +0100 [thread overview]
Message-ID: <20041008093154.GA5089@lkcl.net> (raw)
In-Reply-To: <1097157367.13339.38.camel@moss-spartans.epoch.ncsc.mil>
On Thu, Oct 07, 2004 at 09:56:07AM -0400, Stephen Smalley wrote:
> On Thu, 2004-10-07 at 01:42, Valdis.Kletnieks@vt.edu wrote:
> > audit(1097111349.727:0): avc: denied { tcp_recv } for pid=2 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=59639 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:netif_lo_t tclass=netif
> > audit(1097111349.754:0): avc: denied { tcp_recv } for pid=2 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=59639 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:node_lo_t tclass=node
> > audit(1097111349.782:0): avc: denied { recv_msg } for pid=2 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=59639 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket
> >
> > At least for the recv_msg error, I *think* the message is generated because
> > when we get into net/socket.c, we call security_socket_recvmsg() in
> > __recv_msg() - and (possibly only when we have the VP patch applied?) at that
> > point we're in a softirqd context rather than the context of the process that
> > will finally receive the packet, so the SELinux code ends up checking the wrong
> Valdis,
>
> These permission checks are based on the receiving socket security
> context, not any process security context, and are performed by the
> sock_rcv_skb hook when mediating packet receipt on a socket. The
> auxiliary pid and comm or exe information is meaningless for such
> checks. avc_audit could possibly be modified to check whether we are in
> softirq and omit them in those cases from the audit messages.
> This has
> been discussed previously on the selinux mailing list, please see the
> archives.
an alternative possible solution is to get the packet _out_ from
the interrupt context and have the aux pid comm exe information added.
as i understand it "a" possible way to do that would be to have a
userspace ip_queue which simply marks the packet as "seen it" and then
does "now please reprocess it".
by the time that packets get to ip_queue in userspace, they will have
had their aix pid comm exe info added (and the file sock stuff).
alternatively, someone could spend a lot of their time doing exactly
the same thing in kernel-space.
l.
next prev parent reply other threads:[~2004-10-08 9:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-07 5:42 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity Valdis.Kletnieks
2004-10-07 13:56 ` Stephen Smalley
2004-10-07 13:56 ` Stephen Smalley
2004-10-08 9:31 ` Luke Kenneth Casson Leighton [this message]
2004-10-08 9:31 ` Luke Kenneth Casson Leighton
2004-10-08 11:18 ` Stephen Smalley
2004-10-08 11:18 ` Stephen Smalley
2004-10-08 11:37 ` Luke Kenneth Casson Leighton
2004-10-08 11:37 ` Luke Kenneth Casson Leighton
2004-10-07 18:59 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041008093154.GA5089@lkcl.net \
--to=lkcl@lkcl.net \
--cc=SELinux@tycho.nsa.gov \
--cc=Valdis.Kletnieks@vt.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-net@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=netdev@oss.sgi.com \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.