* [PATCH] SELinux: Use unknown perm handling to handle unknown netlink msg types
@ 2008-11-05 14:34 Eric Paris
2008-11-05 16:38 ` Paul Moore
2008-11-07 16:11 ` Stephen Smalley
0 siblings, 2 replies; 6+ messages in thread
From: Eric Paris @ 2008-11-05 14:34 UTC (permalink / raw)
To: selinux; +Cc: sds, jmorris
Currently when SELinux has not been updated to handle a netlink message
type the operation is denied with EINVAL. This patch will leave the
audit/warning message so things get fixed but if policy chose to allow
unknowns this will allow the netlink operation.
Signed-off-by: Eric Paris <eparis@redhat.com>
---
security/selinux/hooks.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f85597a..c6f8f3e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4387,7 +4387,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
"SELinux: unrecognized netlink message"
" type=%hu for sclass=%hu\n",
nlh->nlmsg_type, isec->sclass);
- if (!selinux_enforcing)
+ if (!selinux_enforcing || security_get_allow_unknown())
err = 0;
}
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] SELinux: Use unknown perm handling to handle unknown netlink msg types
2008-11-05 14:34 [PATCH] SELinux: Use unknown perm handling to handle unknown netlink msg types Eric Paris
@ 2008-11-05 16:38 ` Paul Moore
2008-11-07 16:07 ` Eric Paris
2008-11-07 16:11 ` Stephen Smalley
1 sibling, 1 reply; 6+ messages in thread
From: Paul Moore @ 2008-11-05 16:38 UTC (permalink / raw)
To: Eric Paris; +Cc: selinux, sds, jmorris
On Wednesday 05 November 2008 9:34:42 am Eric Paris wrote:
> Currently when SELinux has not been updated to handle a netlink
> message type the operation is denied with EINVAL. This patch will
> leave the audit/warning message so things get fixed but if policy
> chose to allow unknowns this will allow the netlink operation.
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
> ---
>
> security/selinux/hooks.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f85597a..c6f8f3e 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4387,7 +4387,7 @@ static int selinux_nlmsg_perm(struct sock *sk,
> struct sk_buff *skb) "SELinux: unrecognized netlink message"
> " type=%hu for sclass=%hu\n",
> nlh->nlmsg_type, isec->sclass);
> - if (!selinux_enforcing)
> + if (!selinux_enforcing || security_get_allow_unknown())
> err = 0;
> }
What about moving the security_get_allow_unknown() call to the default
switch clause of selinux_nlmsg_lookup()? Something like this:
/* No messaging from userspace, or class unknown/unhandled */
default:
if (!security_get_allow_unknown())
err = -ENOENT;
break;
This seems like a more natural fit to me (although maybe the audit
message should be moved to selinux_nlmsg_lookup() too?) and it has the
benefit of still checking the socket permissions via socket_has_perm()
in the event that the netlink message is unknown.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] SELinux: Use unknown perm handling to handle unknown netlink msg types
2008-11-05 16:38 ` Paul Moore
@ 2008-11-07 16:07 ` Eric Paris
2008-11-07 17:12 ` Paul Moore
0 siblings, 1 reply; 6+ messages in thread
From: Eric Paris @ 2008-11-07 16:07 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux, sds, jmorris
On Wed, 2008-11-05 at 11:38 -0500, Paul Moore wrote:
> On Wednesday 05 November 2008 9:34:42 am Eric Paris wrote:
> > Currently when SELinux has not been updated to handle a netlink
> > message type the operation is denied with EINVAL. This patch will
> > leave the audit/warning message so things get fixed but if policy
> > chose to allow unknowns this will allow the netlink operation.
> >
> > Signed-off-by: Eric Paris <eparis@redhat.com>
> > ---
> >
> > security/selinux/hooks.c | 2 +-
> > 1 files changed, 1 insertions(+), 1 deletions(-)
> >
> >
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index f85597a..c6f8f3e 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -4387,7 +4387,7 @@ static int selinux_nlmsg_perm(struct sock *sk,
> > struct sk_buff *skb) "SELinux: unrecognized netlink message"
> > " type=%hu for sclass=%hu\n",
> > nlh->nlmsg_type, isec->sclass);
> > - if (!selinux_enforcing)
> > + if (!selinux_enforcing || security_get_allow_unknown())
> > err = 0;
> > }
>
> What about moving the security_get_allow_unknown() call to the default
> switch clause of selinux_nlmsg_lookup()? Something like this:
>
> /* No messaging from userspace, or class unknown/unhandled */
> default:
> if (!security_get_allow_unknown())
> err = -ENOENT;
> break;
>
> This seems like a more natural fit to me (although maybe the audit
> message should be moved to selinux_nlmsg_lookup() too?) and it has the
> benefit of still checking the socket permissions via socket_has_perm()
> in the event that the netlink message is unknown.
We already just blindly allow the case where a new/unknown sclass is
used which is what this part of the switch statement hits. I wanted to
get the case where a known class has a new mesg type (aka nlmsg_perm
returns -EINVAL)
Not sure that the socket check is worth anything since I don't (in
either case) know what perms to ask for.
I also considered making the case of unknown msg type return ALL of the
perms for that entire socket class but I think what I did is the
best/easiest way we can go....
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] SELinux: Use unknown perm handling to handle unknown netlink msg types
2008-11-05 14:34 [PATCH] SELinux: Use unknown perm handling to handle unknown netlink msg types Eric Paris
2008-11-05 16:38 ` Paul Moore
@ 2008-11-07 16:11 ` Stephen Smalley
2008-11-08 23:41 ` James Morris
1 sibling, 1 reply; 6+ messages in thread
From: Stephen Smalley @ 2008-11-07 16:11 UTC (permalink / raw)
To: Eric Paris; +Cc: selinux, jmorris
On Wed, 2008-11-05 at 09:34 -0500, Eric Paris wrote:
> Currently when SELinux has not been updated to handle a netlink message
> type the operation is denied with EINVAL. This patch will leave the
> audit/warning message so things get fixed but if policy chose to allow
> unknowns this will allow the netlink operation.
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>
> security/selinux/hooks.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f85597a..c6f8f3e 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4387,7 +4387,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
> "SELinux: unrecognized netlink message"
> " type=%hu for sclass=%hu\n",
> nlh->nlmsg_type, isec->sclass);
> - if (!selinux_enforcing)
> + if (!selinux_enforcing || security_get_allow_unknown())
> err = 0;
> }
>
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] SELinux: Use unknown perm handling to handle unknown netlink msg types
2008-11-07 16:07 ` Eric Paris
@ 2008-11-07 17:12 ` Paul Moore
0 siblings, 0 replies; 6+ messages in thread
From: Paul Moore @ 2008-11-07 17:12 UTC (permalink / raw)
To: Eric Paris; +Cc: selinux, sds, jmorris
On Friday 07 November 2008 11:07:41 am Eric Paris wrote:
> On Wed, 2008-11-05 at 11:38 -0500, Paul Moore wrote:
> > On Wednesday 05 November 2008 9:34:42 am Eric Paris wrote:
> > > Currently when SELinux has not been updated to handle a netlink
> > > message type the operation is denied with EINVAL. This patch
> > > will leave the audit/warning message so things get fixed but if
> > > policy chose to allow unknowns this will allow the netlink
> > > operation.
> > >
> > > Signed-off-by: Eric Paris <eparis@redhat.com>
> > > ---
> > >
> > > security/selinux/hooks.c | 2 +-
> > > 1 files changed, 1 insertions(+), 1 deletions(-)
> > >
> > >
> > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > > index f85597a..c6f8f3e 100644
> > > --- a/security/selinux/hooks.c
> > > +++ b/security/selinux/hooks.c
> > > @@ -4387,7 +4387,7 @@ static int selinux_nlmsg_perm(struct sock
> > > *sk, struct sk_buff *skb) "SELinux: unrecognized netlink
> > > message" " type=%hu for sclass=%hu\n",
> > > nlh->nlmsg_type, isec->sclass);
> > > - if (!selinux_enforcing)
> > > + if (!selinux_enforcing || security_get_allow_unknown())
> > > err = 0;
> > > }
> >
> > What about moving the security_get_allow_unknown() call to the
> > default switch clause of selinux_nlmsg_lookup()? Something like
> > this:
> >
> > /* No messaging from userspace, or class unknown/unhandled
> > */ default:
> > if (!security_get_allow_unknown())
> > err = -ENOENT;
> > break;
> >
> > This seems like a more natural fit to me (although maybe the audit
> > message should be moved to selinux_nlmsg_lookup() too?) and it has
> > the benefit of still checking the socket permissions via
> > socket_has_perm() in the event that the netlink message is unknown.
>
> We already just blindly allow the case where a new/unknown sclass is
> used which is what this part of the switch statement hits. I wanted
> to get the case where a known class has a new mesg type (aka
> nlmsg_perm returns -EINVAL)
Fair enough, I thought you were trying to solve a different problem.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] SELinux: Use unknown perm handling to handle unknown netlink msg types
2008-11-07 16:11 ` Stephen Smalley
@ 2008-11-08 23:41 ` James Morris
0 siblings, 0 replies; 6+ messages in thread
From: James Morris @ 2008-11-08 23:41 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Eric Paris, selinux
On Fri, 7 Nov 2008, Stephen Smalley wrote:
> On Wed, 2008-11-05 at 09:34 -0500, Eric Paris wrote:
> > Currently when SELinux has not been updated to handle a netlink message
> > type the operation is denied with EINVAL. This patch will leave the
> > audit/warning message so things get fixed but if policy chose to allow
> > unknowns this will allow the netlink operation.
> >
> > Signed-off-by: Eric Paris <eparis@redhat.com>
>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next
--
James Morris
<jmorris@namei.org>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-11-08 23:41 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-05 14:34 [PATCH] SELinux: Use unknown perm handling to handle unknown netlink msg types Eric Paris
2008-11-05 16:38 ` Paul Moore
2008-11-07 16:07 ` Eric Paris
2008-11-07 17:12 ` Paul Moore
2008-11-07 16:11 ` Stephen Smalley
2008-11-08 23:41 ` James Morris
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.