From: Paul Moore <paul.moore@hp.com>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: linux-security-module@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH] LSM: Add security_socket_post_accept() and security_socket_post_recv_datagram().
Date: Tue, 14 Apr 2009 18:59:56 -0400 [thread overview]
Message-ID: <200904141859.57965.paul.moore@hp.com> (raw)
In-Reply-To: <200904141944.JFE64074.FHtOMOFQLFJOVS@I-love.SAKURA.ne.jp>
On Tuesday 14 April 2009 06:44:35 am Tetsuo Handa wrote:
> Hello.
>
> The security_socket_post_accept() hook was recently removed because this
> hook was not used by any in-tree modules and its existence continued to
> cause problems by confusing people about what can be safely accomplished
> using this hook. Now, TOMOYO became in-tree and TOMOYO wants to add network
> access control in 2.6.31.
>
> TOMOYO is not a label based access control and won't cause packet labeling
> problem. TOMOYO won't care as long as packets are not copied to userspace.
We've discussed this issue several times on the mailing list so I won't go
over all of the details again, but I will say that my main concern with the
post_accept() hook is that you are rejecting a connection after is has already
gone through the connection handshake. I personally don't feel this is a good
approach but I don't want to stand in your way if I am alone on this point.
I'm less concerned about the recv_datagram() hook although the issues you
point out about sharing sockets across multiple processes does highlight what
I believe are some fundamental issues regarding the TOMOYO network security
model. Once again, I'm not going to object if I am the only one.
Lastly, I think in order to review these patches we need to see how they are
used. Please submit a patch set that includes both this patch as well as a
patch to TOMOYO which makes use of these changes; this way we can properly
review your patches in context. Regardless, I took a quick look and noticed a
few things (below).
Thanks.
> --- security-testing-2.6.git.orig/net/core/datagram.c
> +++ security-testing-2.6.git/net/core/datagram.c
> @@ -55,6 +55,7 @@
> #include <net/checksum.h>
> #include <net/sock.h>
> #include <net/tcp_states.h>
> +#include <linux/security.h>
>
> /*
> * Is a socket 'connection oriented' ?
> @@ -148,6 +149,7 @@ struct sk_buff *__skb_recv_datagram(stru
> {
> struct sk_buff *skb;
> long timeo;
> + unsigned long cpu_flags;
> /*
> * Caller is allowed not to check sk->sk_err before skb_recv_datagram()
> */
> @@ -165,7 +167,6 @@ struct sk_buff *__skb_recv_datagram(stru
> * Look at current nfs client by the way...
> * However, this function was corrent in any case. 8)
> */
> - unsigned long cpu_flags;
>
> spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
> skb = skb_peek(&sk->sk_receive_queue);
> @@ -179,6 +180,14 @@ struct sk_buff *__skb_recv_datagram(stru
> }
> spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
>
> + /* Filter packets from unwanted peers. */
It might be best to drop this comment, we don't want to speculate how the LSM
might be making access controls decisions here.
> + if (skb) {
> + error = security_socket_post_recv_datagram(sk, skb,
> + flags);
> + if (error)
> + goto force_dequeue;
> + }
> +
> if (skb)
> return skb;
Why check to see if skb != NULL twice? I think you should be able to move the
skb return statement into the body of the first if block.
> @@ -191,6 +200,24 @@ struct sk_buff *__skb_recv_datagram(stru
>
> return NULL;
>
> +force_dequeue:
> + /* Drop this packet because LSM says "Don't pass it to the caller". */
Once again, remove this comment since we don't know what a LSM might decide.
> + if (!(flags & MSG_PEEK))
> + goto no_peek;
> + /*
> + * If this packet is MSG_PEEK'ed, dequeue it forcibly
> + * so that this packet won't prevent the caller from picking up
> + * next packet.
> + */
> + spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
> + if (skb == skb_peek(&sk->sk_receive_queue)) {
> + __skb_unlink(skb, &sk->sk_receive_queue);
> + atomic_dec(&skb->users);
> + /* Do I have something to do with skb->peeked ? */
I don't know but you should find out before this code is merged :)
> + }
> + spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
> +no_peek:
> + kfree_skb(skb);
> no_packet:
> *err = error;
> return NULL;
--
paul moore
linux @ hp
next prev parent reply other threads:[~2009-04-14 22:59 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-14 10:44 [PATCH] LSM: Add security_socket_post_accept() and security_socket_post_recv_datagram() Tetsuo Handa
2009-04-14 22:59 ` Paul Moore [this message]
2009-04-15 5:12 ` Tetsuo Handa
2009-04-15 10:51 ` [PATCH 1/2] " Tetsuo Handa
2009-04-15 10:51 ` [PATCH 2/2] tomoyo: Add network access control support Tetsuo Handa
2009-04-16 18:23 ` [PATCH] LSM: Add security_socket_post_accept() and security_socket_post_recv_datagram() Paul Moore
2009-04-18 8:34 ` Tetsuo Handa
2009-04-20 22:22 ` Paul Moore
2009-04-21 10:54 ` Tetsuo Handa
2009-04-21 10:57 ` David Miller
2009-04-21 11:39 ` Tetsuo Handa
2009-04-21 11:40 ` David Miller
2009-04-21 12:26 ` Tetsuo Handa
2009-04-21 12:37 ` David Miller
2009-04-21 12:52 ` [PATCH] LSM: Add security_socket_post_accept() andsecurity_socket_post_recv_datagram() Tetsuo Handa
2009-04-21 13:04 ` David Miller
2009-04-22 0:55 ` [PATCH] LSM: Add security_socket_post_accept() and security_socket_post_recv_datagram() Tetsuo Handa
2009-04-22 1:14 ` David Miller
2009-04-22 1:49 ` Tetsuo Handa
2009-04-22 4:22 ` David Miller
2009-04-22 5:02 ` Tetsuo Handa
2009-04-22 5:07 ` David Miller
2009-04-22 5:38 ` Tetsuo Handa
2009-04-22 5:52 ` David Miller
2009-04-23 14:00 ` Tetsuo Handa
2009-04-23 14:10 ` David Miller
2009-04-23 14:47 ` Samir Bellabes
2009-04-22 1:52 ` Greg Lindahl
2009-04-22 4:23 ` David Miller
2009-04-22 6:10 ` Greg Lindahl
2009-04-22 6:34 ` David Miller
2009-04-22 6:41 ` Greg Lindahl
2009-04-22 6:46 ` David Miller
2009-04-22 6:54 ` Greg Lindahl
2009-04-22 6:58 ` David Miller
2009-04-22 7:19 ` Tetsuo Handa
2009-04-24 2:07 ` Tetsuo Handa
2009-04-24 4:35 ` David Miller
2009-04-24 4:41 ` David Miller
2009-04-24 4:55 ` Tetsuo Handa
2009-04-24 5:26 ` Tetsuo Handa
2009-04-24 11:40 ` David Miller
2009-04-24 13:57 ` [PATCH] LSM: Add security_socket_post_accept() andsecurity_socket_post_recv_datagram() Tetsuo Handa
2009-04-19 8:03 ` [PATCH v2] LSM: Add security_socket_post_accept() and security_socket_post_recv_datagram() Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200904141859.57965.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.