From: Eric Paris <eparis@parisplace.org>
To: Eric Paris <eparis@redhat.com>
Cc: linux-kernel@vger.kernel.org, stable@kernel.org,
selinux@tycho.nsa.gov, jmorris@namei.org, sds@tycho.nsa.gov,
paul.moore@hp.com, manoj.iyer@canonical.com
Subject: Re: [PATCH] SELinux: BUG in SELinux compat_net code
Date: Tue, 19 May 2009 17:53:52 -0400 [thread overview]
Message-ID: <7e0fb38c0905191453w611e1eaas45b20ce7c4030e59@mail.gmail.com> (raw)
In-Reply-To: <1242769318.2763.22.camel@dhcp231-142.rdu.redhat.com>
Sometimes I'm an idiot, messed up TWO e-mail addresses.... stable
and selinux, so I'm hitting both of those lists with this reply...
On Tue, May 19, 2009 at 5:41 PM, Eric Paris <eparis@redhat.com> wrote:
> This patch is not applicable to Linus's tree as the code in question has
> been removed for 2.6.30. I'm sending in case any of the stable
> maintainers would like to push to their branches (which I think anything
> pre 2.6.30 would like to do).
>
> Ubuntu users were experiencing a kernel panic when they enabled SELinux
> due to an old bug in our handling of the compatibility mode network
> controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
> Most distros have not used the compat_net code since the new code was
> introduced and so noone has hit this problem before. Ubuntu is the only
> distro I know that enabled that legacy cruft by default. But, I was ask
> to look at it and found that the above patch changed a call to
> avc_has_perm from if(send_perm) to if(!send_perm) in
> selinux_ip_postroute_iptables_compat(). The result is that users who
> turn on SELinux and have compat_net set can (and oftern will) BUG() in
> avc_has_perm_noaudit since they are requesting 0 permissions.
>
> This patch corrects that accidental bug introduction.
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
>
> ---
>
> security/selinux/hooks.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff -up linux-source-2.6.28/security/selinux/hooks.c.pre.send linux-source-2.6.28/security/selinux/hooks.c
> --- linux-source-2.6.28/security/selinux/hooks.c.pre.send 2009-05-18 13:23:16.043632602 -0400
> +++ linux-source-2.6.28/security/selinux/hooks.c 2009-05-18 13:23:27.899632772 -0400
> @@ -4561,7 +4561,7 @@ static int selinux_ip_postroute_iptables
> if (err)
> return err;
>
> - if (send_perm != 0)
> + if (!send_perm)
> return 0;
>
> err = sel_netport_sid(sk->sk_protocol,
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
next prev parent reply other threads:[~2009-05-19 21:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-19 21:41 [PATCH] SELinux: BUG in SELinux compat_net code Eric Paris
2009-05-19 21:53 ` Eric Paris [this message]
2009-05-19 22:01 ` Paul Moore
2009-05-19 21:53 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7e0fb38c0905191453w611e1eaas45b20ce7c4030e59@mail.gmail.com \
--to=eparis@parisplace.org \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=manoj.iyer@canonical.com \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).