Re: [PATCH] cipso: don't use IPCB() to locate the CIPSO IP option

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paul Moore <pmoore@redhat.com>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
	selinux@tycho.nsa.gov
Subject: Re: [PATCH] cipso: don't use IPCB() to locate the CIPSO IP option
Date: Fri, 06 Feb 2015 15:03:05 -0500	[thread overview]
Message-ID: <79075962.e3G0NVBHuh@sifl> (raw)
In-Reply-To: <20150206195728.28733.12118.stgit@localhost>

On Friday, February 06, 2015 02:57:28 PM Paul Moore wrote:
> Using the IPCB() macro to get the IPv4 options is convenient, but
> unfortunately NetLabel often needs to examine the CIPSO option outside
> of the scope of the IP layer in the stack.  While historically IPCB()
> worked above the IP layer, due to the inclusion of the inet_skb_param
> struct at the head of the {tcp,udp}_skb_cb structs, recent commit
> 971f10ec ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
> reordered the tcp_skb_cb struct and invalidated this IPCB() trick.
> 
> This patch fixes the problem by creating a new function,
> cipso_v4_optptr(), which locates the CIPSO option inside the IP header
> without calling IPCB().  Unfortunately, this isn't as fast as a simple
> lookup so some additional tweaks were made to limit the use of this
> new function.
> 
> Cc: <stable@vger.kernel.org> # 3.18
> Reported-by: Casey Schaufler <casey@schaufler-ca.com>
> Signed-off-by: Paul Moore <pmoore@redhat.com>

DaveM, I'd prefer this go upstream via the SELinux/security tree so we don't 
have to worry about syncing up with the netdev tree to get this fix.  Any 
objections on your part (this patch only touches NetLabel/CIPSO)?

-- 
paul moore
security @ redhat

WARNING: multiple messages have this Message-ID (diff)

From: Paul Moore <pmoore@redhat.com>
To: davem@davemloft.net
Cc: linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
	casey@schaufler-ca.com, netdev@vger.kernel.org
Subject: Re: [PATCH] cipso: don't use IPCB() to locate the CIPSO IP option
Date: Fri, 06 Feb 2015 15:03:05 -0500	[thread overview]
Message-ID: <79075962.e3G0NVBHuh@sifl> (raw)
In-Reply-To: <20150206195728.28733.12118.stgit@localhost>

On Friday, February 06, 2015 02:57:28 PM Paul Moore wrote:
> Using the IPCB() macro to get the IPv4 options is convenient, but
> unfortunately NetLabel often needs to examine the CIPSO option outside
> of the scope of the IP layer in the stack.  While historically IPCB()
> worked above the IP layer, due to the inclusion of the inet_skb_param
> struct at the head of the {tcp,udp}_skb_cb structs, recent commit
> 971f10ec ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
> reordered the tcp_skb_cb struct and invalidated this IPCB() trick.
> 
> This patch fixes the problem by creating a new function,
> cipso_v4_optptr(), which locates the CIPSO option inside the IP header
> without calling IPCB().  Unfortunately, this isn't as fast as a simple
> lookup so some additional tweaks were made to limit the use of this
> new function.
> 
> Cc: <stable@vger.kernel.org> # 3.18
> Reported-by: Casey Schaufler <casey@schaufler-ca.com>
> Signed-off-by: Paul Moore <pmoore@redhat.com>

DaveM, I'd prefer this go upstream via the SELinux/security tree so we don't 
have to worry about syncing up with the netdev tree to get this fix.  Any 
objections on your part (this patch only touches NetLabel/CIPSO)?

-- 
paul moore
security @ redhat

next prev parent reply	other threads:[~2015-02-06 20:03 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-02-06 19:57 [PATCH] cipso: don't use IPCB() to locate the CIPSO IP option Paul Moore
2015-02-06 19:57 ` Paul Moore
2015-02-06 20:03 ` Paul Moore [this message]
2015-02-06 20:03   ` Paul Moore
2015-02-06 22:27   ` David Miller
2015-02-06 22:27     ` David Miller
2015-02-06 22:51   ` Casey Schaufler
2015-02-06 22:51     ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=79075962.e3G0NVBHuh@sifl \
    --to=pmoore@redhat.com \
    --cc=davem@davemloft.net \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.