From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F7C0C2BA1A for ; Tue, 7 Apr 2020 00:21:00 +0000 (UTC) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E8ECB2076E for ; Tue, 7 Apr 2020 00:20:59 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="YifN25g/" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E8ECB2076E Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1586218858; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=JTqI7ginojbXT9WvJ4zDlcJf+b2sKhPitcsoCI7qXcQ=; b=YifN25g/LK2BbWWG2fyMXcTIzZKVls6e7oJU7b1Xo95ZwluYSS6y7JB0zQPwlYsqUVBqlE yz/RuoohlWeP+4CCT9xuGSZSa/Iz84nuvD9l9VyQgXgHIvCrCB0UWVxw5ApfFRyhM02VpF glYmpv9C/0mUnIjo3ZQ+lKk96OwgHTg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-473-gZW6jAibNDmxFk7VV28XEw-1; Mon, 06 Apr 2020 20:20:56 -0400 X-MC-Unique: gZW6jAibNDmxFk7VV28XEw-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E7141107ACCA; Tue, 7 Apr 2020 00:20:52 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BFCBF5DA60; Tue, 7 Apr 2020 00:20:52 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5CD8418089CE; Tue, 7 Apr 2020 00:20:52 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0370KngQ026047 for ; Mon, 6 Apr 2020 20:20:50 -0400 Received: by smtp.corp.redhat.com (Postfix) id DD59E2166B29; Tue, 7 Apr 2020 00:20:49 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D976E2166B2C for ; Tue, 7 Apr 2020 00:20:47 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 409FC185A78E for ; Tue, 7 Apr 2020 00:20:47 +0000 (UTC) Received: from sonic311-31.consmr.mail.ne1.yahoo.com (sonic311-31.consmr.mail.ne1.yahoo.com [66.163.188.212]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-446-mXJccMjaP-mgjZyffM_Ynw-1; Mon, 06 Apr 2020 20:20:45 -0400 X-MC-Unique: mXJccMjaP-mgjZyffM_Ynw-1 X-YMail-OSG: l1kTWOcVM1kOHuppWU6odZDhVsdBmDG5MeXte_siIlauEFtxQqzDJLLZYje.OfX BT7HiLy7LlhBsEJnANMC712t5vbpm7ZeKsKsz6WvhiVdlBCvhAitpJ7ABtdRZWLf154XHz269esw n1OCys4yGe8X3YHUz_r2_VpcjmbsXUi0nPGvEpK158ndVmUqgsjNfuM0YWgKkgw6G_1zPdBi_NjJ Pb3fMzMO0QbYV0CBCxZcUEQHLe1UD8NYo3jFicuq1DDOs7MTsvh5vs_dqJGY5F8EcTRrwjjp6WRx vqEAh4zswAXYTSmcfCwQurGPHm.6AeDZWsEmoZFBNVOOW1A3IbFqjJTYpEkFMsAfkMLcUnbYfi05 Vd56DFtzRxRuvPt1pGNmUTQDSlVTMIcFO1mzr8vhtTGG.v.cOJfJ9fr.joSeYlFDH.A3wXBIHXC3 KYqnGijQDp4giKzGGnx_.YPe_kotjgDr7MWZ83Jogmr13bG5GIpeX_jacy.6TORo8yedsEGH_uWh LYqo3JgZ_IOFR33HaAXSfVDuSa5JREWOtYCfr9bcK62dudLVLI4bQPNxjpLbml_7XIr0JoxscrPg yamddYDpxd7GpJX55z7zlStridhJiP_MKzCkMxY37Q52qzFLyZj29qGFAZOWPCHFqWA7DodL2KFn B78gHw1SMf_p93aOvmS_e5DqRa8Qh3Y2H0YUxo8lGmxs5PGXZDzXfugCZIs0UGbtTuHHVcUJ92B0 ZPAR5JrMZcvJZDQluflHS9Opsx8YiBJDYHhFMFA0XisvYHVjHB9v1IwKP6exqiiQDDL98DIErYEF vnRaAOFz8c1ELyp6CN2Dr8mZhSp3tei4Vyl575Wqh7boM_D7ZjG2hVJC6z4A8JOab.hnfi18KNJQ olrQ4e0GyusFnvei47JSd269agrPrSvJ0iLeWitV1c2yFMhUR7DJuvdGoOLwbfVcbxoQWXbvOT8o tSiOuRO5daXCSh7PE65Mtul5cbOJ5eau7yz.8sSDlqaCcox3_KfKDGfuZkhEbaYsZov9quFlcgtQ 1UeCE2_8ih0hPKa1FLKHR8H1P3zbhD8k5v4XDV9QiqkcNjYbByLnnpz24jzTjti4Tj3C2tKPW.Xu 6fOtbaPPsqlxpLpSANV5wBEkOvAMF8vbbw4cG.cxeqi4XRKlkU121xBlUPojwnx4.xy4f1o.EIPO E2AKZdRl0oDD97LXsQlz6OQ_f721TZNrUlVOA6BbuXjgKJoio3jlIDmiwio76UAlTBRmfbAZx5RH zG4Rgz00DZ7k1KS.pR08W5aVkKau3qC02EHDw508ux9F7eh1DVeySLqri.dLDhLiY.QPpLCqLQJS yvSPkHvA.KRG_TX1Ywxd1.FeebATNFlaThTAvld6Rh3JHL.GptnBP6DsNAVcHEyoZHaSD4WXidZ8 Bo01V2vn2MH0DkvtW6CZHk5YN3bJMfFQO2KsHMQJRskCzDWey_v2J391vAa4DVVemqMB0 Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Tue, 7 Apr 2020 00:20:44 +0000 Received: by smtp418.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 86f2db2525fe1a2c095fcf4b017ab2b8; Tue, 07 Apr 2020 00:20:41 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v16 17/23] LSM: security_secid_to_secctx in netlink netfilter Date: Mon, 6 Apr 2020 17:01:53 -0700 Message-Id: <20200407000159.43602-18-casey@schaufler-ca.com> In-Reply-To: <20200407000159.43602-1-casey@schaufler-ca.com> References: <20200407000159.43602-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 0370KngQ026047 X-loop: linux-audit@redhat.com Cc: john.johansen@canonical.com, linux-audit@redhat.com, sds@tycho.nsa.gov X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Change netlink netfilter interfaces to use lsmcontext pointers, and remove scaffolding. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler cc: netdev@vger.kernel.org --- net/netfilter/nfnetlink_queue.c | 31 ++++++++++++------------------- 1 file changed, 12 insertions(+), 19 deletions(-) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 880da01ef4d3..d07900c317fd 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -301,12 +301,10 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk) return -1; } -static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) +static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context) { - u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) struct lsmblob blob; - struct lsmcontext context = { }; if (!skb || !sk_fullsock(skb->sk)) return 0; @@ -318,14 +316,14 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) * blob. security_secid_to_secctx() will know which security * module to use to create the secctx. */ lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, &context); - *secdata = context.context; + security_secid_to_secctx(&blob, context); } read_unlock_bh(&skb->sk->sk_callback_lock); - seclen = context.len; + return context->len; +#else + return 0; #endif - return seclen; } static u32 nfqnl_get_bridge_size(struct nf_queue_entry *entry) @@ -401,8 +399,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, enum ip_conntrack_info uninitialized_var(ctinfo); struct nfnl_ct_hook *nfnl_ct; bool csum_verify; - struct lsmcontext scaff; /* scaffolding */ - char *secdata = NULL; + struct lsmcontext context = { }; u32 seclen = 0; size = nlmsg_total_size(sizeof(struct nfgenmsg)) @@ -469,7 +466,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) { - seclen = nfqnl_get_sk_secctx(entskb, &secdata); + seclen = nfqnl_get_sk_secctx(entskb, &context); if (seclen) size += nla_total_size(seclen); } @@ -604,7 +601,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, nfqnl_put_sk_uidgid(skb, entskb->sk) < 0) goto nla_put_failure; - if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata)) + if (seclen && nla_put(skb, NFQA_SECCTX, context.len, context.context)) goto nla_put_failure; if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0) @@ -632,10 +629,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (seclen) + security_release_secctx(&context); return skb; nla_put_failure: @@ -643,10 +638,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (seclen) + security_release_secctx(&context); return NULL; } -- 2.24.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit