From: Stephen Smalley <sds@tycho.nsa.gov>
To: rongqing.li@windriver.com
Cc: netdev@vger.kernel.org, selinux@tycho.nsa.gov,
lsm <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH 1/5] Define the function to write sock's security context to seq_file.
Date: Fri, 05 Aug 2011 09:56:58 -0400 [thread overview]
Message-ID: <1312552618.19283.51.camel@moss-pluto> (raw)
In-Reply-To: <1312534686-4099-2-git-send-email-rongqing.li@windriver.com>
On Fri, 2011-08-05 at 16:58 +0800, rongqing.li@windriver.com wrote:
> From: Roy.Li <rongqing.li@windriver.com>
>
> This function will write the sock's security context to a seq_file
> and return the error code, and the number of characters successfully
> written is written in int pointers parameter.
>
> This function will be called when export socket information to proc.
>
> Signed-off-by: Roy.Li <rongqing.li@windriver.com>
> ---
> include/net/sock.h | 1 +
> net/core/sock.c | 26 ++++++++++++++++++++++++++
> 2 files changed, 27 insertions(+), 0 deletions(-)
> diff --git a/net/core/sock.c b/net/core/sock.c
> index bc745d0..1126a49 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -2254,6 +2254,32 @@ void sk_common_release(struct sock *sk)
> }
> EXPORT_SYMBOL(sk_common_release);
>
> +int sock_write_secctx(struct sock *sk, struct seq_file *seq, int *len)
> +{
> + struct flowi fl;
> + char *ctx = NULL;
> + u32 ctxlen;
> + int res = 0;
> +
> + *len = 0;
> +
> + if (sk == NULL)
> + return -EINVAL;
Is this ever possible?
> + res = security_socket_getsockname(sk->sk_socket);
> + if (res)
> + return res;
I'm not sure it is a good idea to output nothing if permission is denied
to the socket, as opposed to some well-defined string indicating that
condition. Particularly if someone later adds another field to
the /proc files after the context; we don't want the contents of that
field to be interpreted as the context if permission was denied.
> +
> + security_sk_classify_flow(sk, &fl);
> +
> + res = security_secid_to_secctx(fl.flowi_secid, &ctx, &ctxlen);
> + if (res)
> + return res;
Likewise, if we couldn't map the secid to a secctx for some reason, we
likely ought to output some well-defined string indicating that
condition.
> +
> + seq_printf(seq, " %s%n", ctx, len);
> + security_release_secctx(ctx, ctxlen);
> + return res;
> +}
> +
> static DEFINE_RWLOCK(proto_list_lock);
> static LIST_HEAD(proto_list);
>
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2011-08-05 13:56 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-05 8:58 [PATCH 0/5] Export the sock's security context to proc rongqing.li
2011-08-05 8:58 ` [PATCH 1/5] Define the function to write sock's security context to seq_file rongqing.li
[not found] ` <1312534686-4099-2-git-send-email-rongqing.li-CWA4WttNNZF54TAoqtyWWQ@public.gmane.org>
2011-08-05 13:32 ` Stephen Smalley
2011-08-05 13:56 ` Stephen Smalley [this message]
2011-08-08 9:32 ` Rongqing Li
2011-08-08 13:25 ` Stephen Smalley
2011-08-05 8:58 ` [PATCH 2/5] Export the raw sock's security context to proc rongqing.li
2011-08-05 13:51 ` Stephen Smalley
2011-08-05 8:58 ` [PATCH 3/5] Export the udp " rongqing.li
2011-08-05 8:58 ` [PATCH 4/5] Export the unix " rongqing.li
2011-08-05 8:58 ` [PATCH 5/5] Export the tcp " rongqing.li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1312552618.19283.51.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rongqing.li@windriver.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).