From: etienne <etienne.basset@numericable.fr>
To: Paul Moore <paul.moore@hp.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Linux-Kernel <linux-kernel@vger.kernel.org>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH] SMACK netfilter smacklabel socket match
Date: Wed, 18 Feb 2009 08:23:24 +0100 [thread overview]
Message-ID: <499BB76C.1030109@numericable.fr> (raw)
In-Reply-To: <200902171852.21061.paul.moore@hp.com>
Paul Moore wrote:
> On Tuesday 17 February 2009 03:01:15 pm etienne wrote:
>> I realize this patch is a little ugly, a cleaner way would be to insert
>> struct smk_netlbladdr sorted from longest to smallest mask and break the
>> loop as soon as we have a match... regards,
>
> Agreed, the address matching code really should be improved; if you feel like
> you could contribute the changes I'm pretty sure Casey would welcome the
> patches :)
>
yes I could try that, this week-end maybe
> Regarding your fix below, I think a cleaner solution would be to do something
> like the following in place of the existing mask check ...
>
> if ((miap->s_addr & bestmask.s_addr) || (bestmask.s_addr == 0)) {
> bestmask.s_addr = miap->s_addr;
> bestlabel = snp->smk_label;
> }
>
> ... however there is one small problem with this approach (your proposal
> suffers from the same issue): normally the smack_host_label() code prefers the
> first matching entry in the list, the change above preserves that with the
> exception of a 0.0.0.0/0 entry. Granted, you shouldn't allow that in the
> first place but I believe it is possible so it is something that needs to be
> taken into consideration.
>
hummm... I didn't see it that way; I think this function is basically a reimplementation of IPv4 classless routing (longest match first)?
anyway, I think the cleanest way would be to, well, sort smk_netlbladdr by mask on insertion (perf doesn't matter here) and this way smack_host_label can stop the loop on first match.
Plus, it would give a nicer /smack/netlabel ouptut :)
so, how should we handle it? apply the patches (with whitespaces damages corrected ;) ) now (as it corrects a bug) an elaborate the cleaner way later?
I think this should go to stable too?
regards
Etienne
>> Signed-off-by: Etienne <etienne.basset@numericable.fr>
>> ------
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index 0278bc0..9d2576d 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -1540,7 +1540,7 @@ static char *smack_host_label(struct sockaddr_in
>> *sip) * If the list entry mask is less specific than the best * already
>> found this entry is uninteresting.
>> */
>> - if ((miap->s_addr | bestmask.s_addr) == bestmask.s_addr)
>> + if ( ((miap->s_addr | bestmask.s_addr) == bestmask.s_addr)
>> && (miap->s_addr | bestmask.s_addr) != 0 ) continue;
>> /*
>> * This is better than any entry found so far.
next prev parent reply other threads:[~2009-02-18 7:23 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fa.O38YY4pVfLlMFJNBI3mhgn+qOcQ@ifi.uio.no>
[not found] ` <fa.c87eBVWyCqqi9h1c54QlwKDAIbg@ifi.uio.no>
[not found] ` <fa.f7jv/+EnhNJziduAqQS3XHiU6/A@ifi.uio.no>
[not found] ` <fa.1A5YyyPb1uCn//vnk7baNJGI0IM@ifi.uio.no>
[not found] ` <fa.HFpMNTzIQ1+pODZB3+XkfnipCfo@ifi.uio.no>
[not found] ` <fa.3IBoeBnwT1eZcqeO6DAE1tHBYc4@ifi.uio.no>
2009-02-17 20:01 ` [PATCH] SMACK netfilter smacklabel socket match etienne
2009-02-17 20:32 ` [PATCH] SMACK smacklabel : apply &MASK to IP inserted in /smack/netlabel etienne
2009-02-17 23:54 ` Paul Moore
2009-02-18 6:01 ` Casey Schaufler
2009-02-18 7:25 ` etienne
2009-02-17 22:39 ` [PATCH] SMACK netfilter smacklabel socket match David Miller
2009-02-17 23:52 ` Paul Moore
2009-02-18 7:23 ` etienne [this message]
2009-02-18 15:05 ` Paul Moore
2009-02-18 17:09 ` Casey Schaufler
2009-02-18 19:35 ` etienne
2009-02-18 20:55 ` Paul Moore
2009-02-20 4:36 ` Casey Schaufler
2009-02-20 18:26 ` etienne
2009-02-18 18:29 ` etienne
2009-02-18 19:06 ` Casey Schaufler
2009-02-18 21:16 ` [PATCH] SMACK netlabel fixes etienne
2009-02-19 5:50 ` Casey Schaufler
2009-02-19 15:24 ` Paul Moore
2009-02-19 23:22 ` [PATCH] SMACK netlabel fixes v2 etienne
2009-02-20 16:11 ` Paul Moore
2009-02-18 19:18 ` [PATCH] SMACK netfilter smacklabel socket match Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=499BB76C.1030109@numericable.fr \
--to=etienne.basset@numericable.fr \
--cc=casey@schaufler-ca.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul.moore@hp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.