From: Paul Moore <paul@paul-moore.com>
To: Octavian Purdila <octavian.purdila@intel.com>, netdev@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Subject: Re: [net-next v2 07/13] tcp: move around a few calls in tcp_v6_conn_request
Date: Wed, 25 Jun 2014 10:29:43 -0400 [thread overview]
Message-ID: <1639708.nSlqFFmvO1@sifl> (raw)
In-Reply-To: <1403705402-14388-8-git-send-email-octavian.purdila@intel.com>
On Wednesday, June 25, 2014 05:09:56 PM Octavian Purdila wrote:
> Make the tcp_v6_conn_request calls flow similar with that of
> tcp_v4_conn_request.
>
> Note that want_cookie can be true only if isn is zero and that is why
> we can move the if (want_cookie) block out of the if (!isn) block.
>
> Moving security_inet_conn_request() has a couple of side effects:
> missing inet_rsk(req)->ecn_ok update and the req->cookie_ts
> update. However, neither SELinux nor Smack security hooks seems to
> check them. This change should also avoid future different behaviour
> for IPv4 and IPv6 in the security hooks.
>
> Signed-off-by: Octavian Purdila <octavian.purdila@intel.com>
> ---
> net/ipv6/tcp_ipv6.c | 18 +++++++-----------
> 1 file changed, 7 insertions(+), 11 deletions(-)
Please send changes to the LSM hooks to the LSM mailing list (CC'd) for
review/comment.
Mailing list issues aside, this looks fine to me; the loss of the ecn_ok and
cookie_ts field updates should not matter to the current LSMs, or any
reasonable future LSM, as the LSMs are more concerned about updating the LSM
context assigned to the request_sock in this particular hook.
Acked-by: Paul Moore <paul@paul-moore.com>
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index d780d88..91b8a2e 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -1070,16 +1070,16 @@ static int tcp_v6_conn_request(struct sock *sk,
> struct sk_buff *skb) ireq = inet_rsk(req);
> af_ops->init_req(req, sk, skb);
>
> + if (security_inet_conn_request(sk, skb, req))
> + goto drop_and_release;
> +
> if (!want_cookie || tmp_opt.tstamp_ok)
> TCP_ECN_create_request(req, skb, sock_net(sk));
>
> - if (!isn) {
> - if (want_cookie) {
> - isn = cookie_init_sequence(af_ops, sk, skb, &req->mss);
> - req->cookie_ts = tmp_opt.tstamp_ok;
> - goto have_isn;
> - }
> -
> + if (want_cookie) {
> + isn = cookie_init_sequence(af_ops, sk, skb, &req->mss);
> + req->cookie_ts = tmp_opt.tstamp_ok;
> + } else if (!isn) {
> /* VJ's idea. We save last timestamp seen
> * from the destination in peer table, when entering
> * state TIME-WAIT, and check against it before
> @@ -1116,10 +1116,6 @@ static int tcp_v6_conn_request(struct sock *sk,
> struct sk_buff *skb)
>
> isn = tcp_v6_init_sequence(skb);
> }
> -have_isn:
> -
> - if (security_inet_conn_request(sk, skb, req))
> - goto drop_and_release;
>
> if (!dst) {
> dst = af_ops->route_req(sk, (struct flowi *)&fl6, req, NULL);
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2014-06-25 14:29 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-25 14:09 [net-next v2 00/13] remove code duplication in tcp_v[46]_conn_request Octavian Purdila
2014-06-25 14:09 ` [net-next v2 01/13] tcp: cookie_v4_init_sequence: skb should be const Octavian Purdila
2014-06-25 14:09 ` [net-next v2 02/13] tcp: tcp_v[46]_conn_request: fix snt_synack initialization Octavian Purdila
2014-06-28 2:16 ` Neal Cardwell
2014-06-28 2:24 ` Neal Cardwell
2014-06-30 11:50 ` Octavian Purdila
2014-06-30 19:11 ` Neal Cardwell
2014-06-30 21:00 ` Octavian Purdila
2014-07-01 2:24 ` Neal Cardwell
2014-06-25 14:09 ` [net-next v2 03/13] net: remove inet6_reqsk_alloc Octavian Purdila
2014-06-25 17:59 ` Cong Wang
2014-06-25 18:04 ` Octavian Purdila
2014-06-25 14:09 ` [net-next v2 04/13] tcp: add init_req method to tcp_request_sock_ops Octavian Purdila
2014-06-25 14:09 ` [net-next v2 05/13] tcp: add init_cookie_seq " Octavian Purdila
2014-06-25 14:09 ` [net-next v2 06/13] tcp: add route_req " Octavian Purdila
2014-06-25 14:09 ` [net-next v2 07/13] tcp: move around a few calls in tcp_v6_conn_request Octavian Purdila
2014-06-25 14:29 ` Paul Moore [this message]
2014-06-25 14:09 ` [net-next v2 08/13] tcp: add init_seq method to tcp_request_sock_ops Octavian Purdila
2014-06-25 14:09 ` [net-next v2 09/13] tcp: add send_synack " Octavian Purdila
2014-06-25 14:09 ` [net-next v2 10/13] tcp: unify tcp_v4_rtx_synack and tcp_v6_rtx_synack Octavian Purdila
2014-06-25 14:10 ` [net-next v2 11/13] tcp: add mss_clamp to tcp_request_sock_ops Octavian Purdila
2014-06-25 14:10 ` [net-next v2 12/13] tcp: add queue_add_hash " Octavian Purdila
2014-06-25 19:05 ` Cong Wang
2014-06-25 14:10 ` [net-next v2 13/13] tcp: add tcp_conn_request Octavian Purdila
2014-06-27 22:54 ` [net-next v2 00/13] remove code duplication in tcp_v[46]_conn_request David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1639708.nSlqFFmvO1@sifl \
--to=paul@paul-moore.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=octavian.purdila@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).