* Re: [PATCH v2] selinux: rate-limit unrecognized netlink message warnings in selinux_nlmsg_perm() [not found] <1446649357-8334-1-git-send-email-vdronov@redhat.com> @ 2015-11-06 17:33 ` Paul Moore 2015-11-09 10:02 ` Vladis Dronov 0 siblings, 1 reply; 5+ messages in thread From: Paul Moore @ 2015-11-06 17:33 UTC (permalink / raw) To: Vladis Dronov; +Cc: linux-security-module, selinux On Wednesday, November 04, 2015 04:02:36 PM Vladis Dronov wrote: > Any process is able to send netlink messages with invalid types. > Make the warning rate-limited to prevent too much log spam. > > The warning is supposed to help to find misbehaving programs, so > print the triggering command name and pid. > > Signed-off-by: Vladis Dronov <vdronov@redhat.com> > --- > security/selinux/hooks.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) Did you want the "Reported-by" tag included? I'm also adding the SELinux list back to the CC line. > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index e4369d8..3d8087d 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -4787,11 +4787,12 @@ static int selinux_nlmsg_perm(struct sock *sk, > struct sk_buff *skb) err = selinux_nlmsg_lookup(sksec->sclass, > nlh->nlmsg_type, &perm); if (err) { > if (err == -EINVAL) { > - printk(KERN_WARNING > - "SELinux: unrecognized netlink message:" > - " protocol=%hu nlmsg_type=%hu sclass=%s\n", > + pr_warn_ratelimited("SELinux: unrecognized netlink" > + " message: protocol=%hu nlmsg_type=%hu sclass=%s" > + " from %s[%d]\n", > sk->sk_protocol, nlh->nlmsg_type, > - secclass_map[sksec->sclass - 1].name); > + secclass_map[sksec->sclass - 1].name, > + current->comm, current->pid); > if (!selinux_enforcing || security_get_allow_unknown()) > err = 0; > } -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] selinux: rate-limit unrecognized netlink message warnings in selinux_nlmsg_perm() 2015-11-06 17:33 ` [PATCH v2] selinux: rate-limit unrecognized netlink message warnings in selinux_nlmsg_perm() Paul Moore @ 2015-11-09 10:02 ` Vladis Dronov 0 siblings, 0 replies; 5+ messages in thread From: Vladis Dronov @ 2015-11-09 10:02 UTC (permalink / raw) To: Paul Moore; +Cc: linux-security-module, selinux Hello, Paul. >> Did you want the "Reported-by" tag included? I'm also adding the SELinux list >> back to the CC line. Yes, could you please, indeed include lost line "Reported-by: Florian Weimer <fweimer@redhat.com>". It was my fault of omitting it while re-composing commit message. Vladis Dronov | Red Hat, Inc. | Product Security Engineer | ----- Original Message ----- From: "Paul Moore" <paul@paul-moore.com> To: "Vladis Dronov" <vdronov@redhat.com> Cc: linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov Sent: Friday, November 6, 2015 6:33:39 PM Subject: Re: [PATCH v2] selinux: rate-limit unrecognized netlink message warnings in selinux_nlmsg_perm() On Wednesday, November 04, 2015 04:02:36 PM Vladis Dronov wrote: > Any process is able to send netlink messages with invalid types. > Make the warning rate-limited to prevent too much log spam. > > The warning is supposed to help to find misbehaving programs, so > print the triggering command name and pid. > > Signed-off-by: Vladis Dronov <vdronov@redhat.com> > --- > security/selinux/hooks.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) Did you want the "Reported-by" tag included? I'm also adding the SELinux list back to the CC line. > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index e4369d8..3d8087d 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -4787,11 +4787,12 @@ static int selinux_nlmsg_perm(struct sock *sk, > struct sk_buff *skb) err = selinux_nlmsg_lookup(sksec->sclass, > nlh->nlmsg_type, &perm); if (err) { > if (err == -EINVAL) { > - printk(KERN_WARNING > - "SELinux: unrecognized netlink message:" > - " protocol=%hu nlmsg_type=%hu sclass=%s\n", > + pr_warn_ratelimited("SELinux: unrecognized netlink" > + " message: protocol=%hu nlmsg_type=%hu sclass=%s" > + " from %s[%d]\n", > sk->sk_protocol, nlh->nlmsg_type, > - secclass_map[sksec->sclass - 1].name); > + secclass_map[sksec->sclass - 1].name, > + current->comm, current->pid); > if (!selinux_enforcing || security_get_allow_unknown()) > err = 0; > } -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2] selinux: rate-limit unrecognized netlink message warnings in selinux_nlmsg_perm() @ 2015-11-04 10:35 Vladis Dronov 2015-11-10 23:07 ` Paul Moore 0 siblings, 1 reply; 5+ messages in thread From: Vladis Dronov @ 2015-11-04 10:35 UTC (permalink / raw) To: <selinux@tycho.nsa.gov>; +Cc: Vladis Dronov Any process is able to send netlink messages with invalid types. Make the warning rate-limited to prevent too much log spam. The warning is supposed to help to find misbehaving programs, so print the triggering command name and pid. Reported-by: Florian Weimer <fweimer@redhat.com> Signed-off-by: Vladis Dronov <vdronov@redhat.com> --- security/selinux/hooks.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e4369d8..3d8087d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4787,11 +4787,12 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); if (err) { if (err == -EINVAL) { - printk(KERN_WARNING - "SELinux: unrecognized netlink message:" - " protocol=%hu nlmsg_type=%hu sclass=%s\n", + pr_warn_ratelimited("SELinux: unrecognized netlink" + " message: protocol=%hu nlmsg_type=%hu sclass=%s" + " from %s[%d]\n", sk->sk_protocol, nlh->nlmsg_type, - secclass_map[sksec->sclass - 1].name); + secclass_map[sksec->sclass - 1].name, + current->comm, current->pid); if (!selinux_enforcing || security_get_allow_unknown()) err = 0; } -- ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] selinux: rate-limit unrecognized netlink message warnings in selinux_nlmsg_perm() 2015-11-04 10:35 Vladis Dronov @ 2015-11-10 23:07 ` Paul Moore 2015-11-13 14:20 ` Vladis Dronov 0 siblings, 1 reply; 5+ messages in thread From: Paul Moore @ 2015-11-10 23:07 UTC (permalink / raw) To: Vladis Dronov; +Cc: selinux, linux-security-module On Wednesday, November 04, 2015 11:35:51 AM Vladis Dronov wrote: > Any process is able to send netlink messages with invalid types. > Make the warning rate-limited to prevent too much log spam. > > The warning is supposed to help to find misbehaving programs, so > print the triggering command name and pid. > > Reported-by: Florian Weimer <fweimer@redhat.com> > Signed-off-by: Vladis Dronov <vdronov@redhat.com> > --- > security/selinux/hooks.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index e4369d8..3d8087d 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -4787,11 +4787,12 @@ static int selinux_nlmsg_perm(struct sock *sk, > struct sk_buff *skb) err = selinux_nlmsg_lookup(sksec->sclass, > nlh->nlmsg_type, &perm); if (err) { > if (err == -EINVAL) { > - printk(KERN_WARNING > - "SELinux: unrecognized netlink message:" > - " protocol=%hu nlmsg_type=%hu sclass=%s\n", > + pr_warn_ratelimited("SELinux: unrecognized netlink" > + " message: protocol=%hu nlmsg_type=%hu sclass=%s" > + " from %s[%d]\n", > sk->sk_protocol, nlh->nlmsg_type, > - secclass_map[sksec->sclass - 1].name); > + secclass_map[sksec->sclass - 1].name, > + current->comm, current->pid); I should have looked at more closely at the actual changes earlier, but the other issues with your posting distracted me ... while this isn't an audit message, it tends to follow the audit-ish name=value format so let's stick with that in this message, I would also suggest using task_pid_nr() so the line should look something like this: pr_warn_ratelimited("SELinux: unrecognized netlink" " message: protocol=%hu nlmsg_type=%hu sclass=%s" " pig=%d comm=%s\n", sk->sk_protocol, nlh->nlmsg_type, secclass_map[sksec->sclass - 1].name, task_pid_nr(current), current->comm); -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] selinux: rate-limit unrecognized netlink message warnings in selinux_nlmsg_perm() 2015-11-10 23:07 ` Paul Moore @ 2015-11-13 14:20 ` Vladis Dronov 0 siblings, 0 replies; 5+ messages in thread From: Vladis Dronov @ 2015-11-13 14:20 UTC (permalink / raw) To: Paul Moore; +Cc: selinux, linux-security-module Hello, Paul, Thank you for the corrections and your time. I've just sent a next patch version to the list. I hope it would be more acceptable. Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer ----- Original Message ----- From: "Paul Moore" <paul@paul-moore.com> To: "Vladis Dronov" <vdronov@redhat.com> Cc: selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org Sent: Wednesday, November 11, 2015 12:07:23 AM Subject: Re: [PATCH v2] selinux: rate-limit unrecognized netlink message warnings in selinux_nlmsg_perm() On Wednesday, November 04, 2015 11:35:51 AM Vladis Dronov wrote: > Any process is able to send netlink messages with invalid types. > Make the warning rate-limited to prevent too much log spam. > > The warning is supposed to help to find misbehaving programs, so > print the triggering command name and pid. > > Reported-by: Florian Weimer <fweimer@redhat.com> > Signed-off-by: Vladis Dronov <vdronov@redhat.com> > --- > security/selinux/hooks.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index e4369d8..3d8087d 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -4787,11 +4787,12 @@ static int selinux_nlmsg_perm(struct sock *sk, > struct sk_buff *skb) err = selinux_nlmsg_lookup(sksec->sclass, > nlh->nlmsg_type, &perm); if (err) { > if (err == -EINVAL) { > - printk(KERN_WARNING > - "SELinux: unrecognized netlink message:" > - " protocol=%hu nlmsg_type=%hu sclass=%s\n", > + pr_warn_ratelimited("SELinux: unrecognized netlink" > + " message: protocol=%hu nlmsg_type=%hu sclass=%s" > + " from %s[%d]\n", > sk->sk_protocol, nlh->nlmsg_type, > - secclass_map[sksec->sclass - 1].name); > + secclass_map[sksec->sclass - 1].name, > + current->comm, current->pid); I should have looked at more closely at the actual changes earlier, but the other issues with your posting distracted me ... while this isn't an audit message, it tends to follow the audit-ish name=value format so let's stick with that in this message, I would also suggest using task_pid_nr() so the line should look something like this: pr_warn_ratelimited("SELinux: unrecognized netlink" " message: protocol=%hu nlmsg_type=%hu sclass=%s" " pig=%d comm=%s\n", sk->sk_protocol, nlh->nlmsg_type, secclass_map[sksec->sclass - 1].name, task_pid_nr(current), current->comm); -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-11-13 14:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1446649357-8334-1-git-send-email-vdronov@redhat.com>
2015-11-06 17:33 ` [PATCH v2] selinux: rate-limit unrecognized netlink message warnings in selinux_nlmsg_perm() Paul Moore
2015-11-09 10:02 ` Vladis Dronov
2015-11-04 10:35 Vladis Dronov
2015-11-10 23:07 ` Paul Moore
2015-11-13 14:20 ` Vladis Dronov
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.