All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Moore <paul.moore@hp.com>
To: etienne <etienne.basset@numericable.fr>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
	"Linux-Kernel" <linux-kernel@vger.kernel.org>,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH] SMACK netfilter smacklabel socket match
Date: Tue, 17 Feb 2009 18:52:20 -0500	[thread overview]
Message-ID: <200902171852.21061.paul.moore@hp.com> (raw)
In-Reply-To: <499B178B.9090601@numericable.fr>

On Tuesday 17 February 2009 03:01:15 pm etienne wrote:
> I realize this patch is a little ugly, a cleaner way would be to insert 
> struct smk_netlbladdr sorted from longest to smallest mask and break the
> loop as soon as we have a match... regards,

Agreed, the address matching code really should be improved; if you feel like 
you could contribute the changes I'm pretty sure Casey would welcome the 
patches :)

Regarding your fix below, I think a cleaner solution would be to do something 
like the following in place of the existing mask check ...

	if ((miap->s_addr & bestmask.s_addr) || (bestmask.s_addr == 0)) {
		bestmask.s_addr = miap->s_addr;
		bestlabel = snp->smk_label;
	}	

... however there is one small problem with this approach (your proposal 
suffers from the same issue): normally the smack_host_label() code prefers the 
first matching entry in the list, the change above preserves that with the 
exception of a 0.0.0.0/0 entry.  Granted, you shouldn't allow that in the 
first place but I believe it is possible so it is something that needs to be 
taken into consideration.

> Signed-off-by: Etienne <etienne.basset@numericable.fr>
> ------
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 0278bc0..9d2576d 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -1540,7 +1540,7 @@ static char *smack_host_label(struct sockaddr_in
> *sip) * If the list entry mask is less specific than the best * already
> found this entry is uninteresting.
>                  */
> -               if ((miap->s_addr | bestmask.s_addr) == bestmask.s_addr)
> +               if ( ((miap->s_addr | bestmask.s_addr) == bestmask.s_addr)
> &&  (miap->s_addr | bestmask.s_addr) != 0  ) continue;
>                 /*
>                  * This is better than any entry found so far.
> --
> To unsubscribe from this list: send the line "unsubscribe
> linux-security-module" in the body of a message to
> majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
paul moore
linux @ hp


  parent reply	other threads:[~2009-02-17 23:52 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <fa.O38YY4pVfLlMFJNBI3mhgn+qOcQ@ifi.uio.no>
     [not found] ` <fa.c87eBVWyCqqi9h1c54QlwKDAIbg@ifi.uio.no>
     [not found]   ` <fa.f7jv/+EnhNJziduAqQS3XHiU6/A@ifi.uio.no>
     [not found]     ` <fa.1A5YyyPb1uCn//vnk7baNJGI0IM@ifi.uio.no>
     [not found]       ` <fa.HFpMNTzIQ1+pODZB3+XkfnipCfo@ifi.uio.no>
     [not found]         ` <fa.3IBoeBnwT1eZcqeO6DAE1tHBYc4@ifi.uio.no>
2009-02-17 20:01           ` [PATCH] SMACK netfilter smacklabel socket match etienne
2009-02-17 20:32             ` [PATCH] SMACK smacklabel : apply &MASK to IP inserted in /smack/netlabel etienne
2009-02-17 23:54               ` Paul Moore
2009-02-18  6:01                 ` Casey Schaufler
2009-02-18  7:25                 ` etienne
2009-02-17 22:39             ` [PATCH] SMACK netfilter smacklabel socket match David Miller
2009-02-17 23:52             ` Paul Moore [this message]
2009-02-18  7:23               ` etienne
2009-02-18 15:05                 ` Paul Moore
2009-02-18 17:09                   ` Casey Schaufler
2009-02-18 19:35                     ` etienne
2009-02-18 20:55                       ` Paul Moore
2009-02-20  4:36                       ` Casey Schaufler
2009-02-20 18:26                         ` etienne
2009-02-18 18:29                   ` etienne
2009-02-18 19:06                     ` Casey Schaufler
2009-02-18 21:16                       ` [PATCH] SMACK netlabel fixes etienne
2009-02-19  5:50                         ` Casey Schaufler
2009-02-19 15:24                         ` Paul Moore
2009-02-19 23:22                           ` [PATCH] SMACK netlabel fixes v2 etienne
2009-02-20 16:11                             ` Paul Moore
2009-02-18 19:18                     ` [PATCH] SMACK netfilter smacklabel socket match Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200902171852.21061.paul.moore@hp.com \
    --to=paul.moore@hp.com \
    --cc=casey@schaufler-ca.com \
    --cc=etienne.basset@numericable.fr \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.