Re: [PATCH v3 2/5] LSM: Replace context+len with lsm_context

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: paul@paul-moore.com, linux-security-module@vger.kernel.org,
	jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
	john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
	selinux@vger.kernel.org, mic@digikod.net, netdev@vger.kernel.org,
	audit@vger.kernel.org, netfilter-devel@vger.kernel.org,
	Todd Kjos <tkjos@google.com>
Subject: Re: [PATCH v3 2/5] LSM: Replace context+len with lsm_context
Date: Thu, 24 Oct 2024 18:10:14 +0200	[thread overview]
Message-ID: <ZxpxZuErvXSLApsf@calendula> (raw)
In-Reply-To: <20241023212158.18718-3-casey@schaufler-ca.com>

Hi Casey,

This is a review of the netfilter chunk.

On Wed, Oct 23, 2024 at 02:21:55PM -0700, Casey Schaufler wrote:
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index 86a57a3afdd6..dd74d4c67c69 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -360,8 +360,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
>  	struct lsm_context ctx;
>  	int ret;
>  
> -	ret = security_secid_to_secctx(ct->secmark, &ctx.context, &ctx.len);
> -	if (ret)
> +	ret = security_secid_to_secctx(ct->secmark, &ctx);
> +	if (ret < 0)
>  		return 0;
>  
>  	ret = -1;
> @@ -665,8 +665,8 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
>  #ifdef CONFIG_NF_CONNTRACK_SECMARK
>  	int len, ret;
>  
> -	ret = security_secid_to_secctx(ct->secmark, NULL, &len);
> -	if (ret)
> +	ret = security_secid_to_secctx(ct->secmark, NULL);

This breaks here.

len is really used, this should be instead:

	ret = security_secid_to_secctx(ct->secmark, &ctx);

[...]
        return nla_total_size(0) /* CTA_SECCTX */
               + nla_total_size(sizeof(char) * ctx.len); /* CTA_SECCTX_NAME */
#else
        return 0;
#endif
}

> +	if (ret < 0)
>  		return 0;
>  
>  	return nla_total_size(0) /* CTA_SECCTX */
> diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
> index 5f7fd23b7afe..502cf10aab41 100644
> --- a/net/netfilter/nf_conntrack_standalone.c
> +++ b/net/netfilter/nf_conntrack_standalone.c
> @@ -175,8 +175,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
>  	struct lsm_context ctx;
>  	int ret;
>  
> -	ret = security_secid_to_secctx(ct->secmark, &ctx.context, &ctx.len);
> -	if (ret)
> +	ret = security_secid_to_secctx(ct->secmark, &ctx);
> +	if (ret < 0)
>  		return;
>  
>  	seq_printf(s, "secctx=%s ", ctx.context);
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index 37757cd77cf1..5110f29b2f40 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@ -470,18 +470,18 @@ static int nfqnl_put_sk_classid(struct sk_buff *skb, struct sock *sk)
>  	return 0;
>  }
>  
> -static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
> +static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsm_context *ctx)
>  {
>  	u32 seclen = 0;
>  #if IS_ENABLED(CONFIG_NETWORK_SECMARK)
> +

remove unneeded line.

>  	if (!skb || !sk_fullsock(skb->sk))
>  		return 0;
>  
>  	read_lock_bh(&skb->sk->sk_callback_lock);
>  
>  	if (skb->secmark)
> -		security_secid_to_secctx(skb->secmark, secdata, &seclen);
> -
> +		seclen = security_secid_to_secctx(skb->secmark, ctx);
>  	read_unlock_bh(&skb->sk->sk_callback_lock);
>  #endif
>  	return seclen;
> @@ -567,8 +567,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
>  	enum ip_conntrack_info ctinfo = 0;
>  	const struct nfnl_ct_hook *nfnl_ct;
>  	bool csum_verify;
> -	struct lsm_context scaff; /* scaffolding */
> -	char *secdata = NULL;
> +	struct lsm_context ctx;

Help us make this get closer to revert xmas tree:

  	enum ip_conntrack_info ctinfo = 0;
  	const struct nfnl_ct_hook *nfnl_ct;
+	struct lsm_context ctx;
  	bool csum_verify;
-	struct lsm_context scaff; /* scaffolding */
-	char *secdata = NULL;

>  	bool csum_verify;
> -	struct lsm_context scaff; /* scaffolding */
> -	char *secdata = NULL;

>  	u32 seclen = 0;
>  	ktime_t tstamp;
>  
> @@ -643,8 +642,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
>  	}
>  
>  	if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) {
> -		seclen = nfqnl_get_sk_secctx(entskb, &secdata);
> -		if (seclen)
> +		seclen = nfqnl_get_sk_secctx(entskb, &ctx);
> +		if (seclen >= 0)
>  			size += nla_total_size(seclen);
>  	}
>  
> @@ -783,7 +782,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
>  	if (nfqnl_put_sk_classid(skb, entskb->sk) < 0)
>  		goto nla_put_failure;
>  
> -	if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
> +	if (seclen && nla_put(skb, NFQA_SECCTX, ctx.len, ctx.context))
>  		goto nla_put_failure;
>  
>  	if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0)
> @@ -811,10 +810,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
>  	}
>  
>  	nlh->nlmsg_len = skb->len;
> -	if (seclen) {
> -		lsmcontext_init(&scaff, secdata, seclen, 0);
> -		security_release_secctx(&scaff);
> -	}
> +	if (seclen >= 0)
> +		security_release_secctx(&ctx);
>  	return skb;
>  
>  nla_put_failure:
> @@ -822,10 +819,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
>  	kfree_skb(skb);
>  	net_err_ratelimited("nf_queue: error creating packet message\n");
>  nlmsg_failure:
> -	if (seclen) {
> -		lsmcontext_init(&scaff, secdata, seclen, 0);
> -		security_release_secctx(&scaff);
> -	}
> +	if (seclen >= 0)
> +		security_release_secctx(&ctx);
>  	return NULL;
>  }
>

next prev parent reply	other threads:[~2024-10-24 16:10 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20241023212158.18718-1-casey.ref@schaufler-ca.com>
2024-10-23 21:21 ` [PATCH v3 0/5] LSM: Replace secctx/len pairs with lsm_context Casey Schaufler
2024-10-23 21:21   ` [PATCH v3 1/5] LSM: Ensure the correct LSM context releaser Casey Schaufler
2024-10-31 22:53     ` Paul Moore
2024-12-06 20:05     ` Kees Bakker
2024-12-06 20:57       ` Casey Schaufler
2024-10-23 21:21   ` [PATCH v3 2/5] LSM: Replace context+len with lsm_context Casey Schaufler
2024-10-24 16:10     ` Pablo Neira Ayuso [this message]
2024-10-24 17:57       ` Casey Schaufler
2024-10-31 22:53     ` Paul Moore
2024-10-31 23:15       ` Pablo Neira Ayuso
2024-10-31 23:23         ` Pablo Neira Ayuso
2024-10-31 23:58           ` Casey Schaufler
2024-11-01  7:25             ` Pablo Neira Ayuso
2024-11-01 16:14               ` Casey Schaufler
2024-11-01 16:35                 ` Paul Moore
2024-11-01 16:42                   ` Paul Moore
2024-11-01 16:59                     ` Casey Schaufler
2024-11-01 17:54                       ` Paul Moore
2024-10-23 21:21   ` [PATCH v3 3/5] LSM: Use lsm_context in security_inode_getsecctx Casey Schaufler
2024-10-31 22:53     ` Paul Moore
2024-10-23 21:21   ` [PATCH v3 4/5] LSM: lsm_context in security_dentry_init_security Casey Schaufler
2024-10-31 22:53     ` Paul Moore
2025-02-20 16:43     ` Stephen Smalley
2025-02-20 17:40       ` Paul Moore
2025-02-20 17:52         ` Casey Schaufler
2025-02-20 17:53         ` Paul Moore
2025-02-20 18:02           ` Stephen Smalley
2025-02-20 18:15             ` Casey Schaufler
2025-02-20 18:16             ` Stephen Smalley
2025-02-20 19:33               ` Casey Schaufler
2025-02-20 19:37                 ` Stephen Smalley
2025-02-20 20:31                   ` Casey Schaufler
2025-02-20 20:33                     ` Stephen Smalley
2025-02-20 21:08                       ` Casey Schaufler
2025-02-21  3:16                         ` Paul Moore
2024-10-23 21:21   ` [PATCH v3 5/5] LSM: secctx provider check on release Casey Schaufler
2024-10-31 22:53     ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZxpxZuErvXSLApsf@calendula \
    --to=pablo@netfilter.org \
    --cc=audit@vger.kernel.org \
    --cc=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mic@digikod.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=selinux@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=stephen.smalley.work@gmail.com \
    --cc=tkjos@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.