From: Paul Moore <pmoore@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>,
David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, mvadkert@redhat.com
Subject: Re: [PATCH] tcp: assign the sock correctly to an outgoing SYNACK packet
Date: Mon, 08 Apr 2013 14:12:01 -0400 [thread overview]
Message-ID: <1725553.maWFXblPLa@sifl> (raw)
In-Reply-To: <1365443267.3887.28.camel@edumazet-glaptop>
On Monday, April 08, 2013 10:47:47 AM Eric Dumazet wrote:
> On Mon, 2013-04-08 at 13:40 -0400, Paul Moore wrote:
> > Sort of a similar problem, but not really the same. Also, arguably, there
> > is no real associated sock/socket for a RST so orphaning the packet makes
> > sense. In the case of a SYNACK we can, and should, associate the packet
> > with a sock/socket.
>
> What is the intent ?
We have to do a number of painful things in SELinux because we aren't allowed
a proper security blob (void *security) in a sk_buff. One of those things is
using the security blob in the originating sock as a stand-in for the packet's
own security blob; as a result, when skb->sk is not set we have to make some
guesses about the security attributes of packet. We do have methods to handle
packets without a valid sock pointer, but those are used primarily for non-
local packets (e.g. forwarded traffic) and some limited local use cases (e.g.
TCP RST packets).
Also, don't mention skb->secmark; unfortunately that was used for something
else and doesn't apply to this conversation.
> On Mon, 2013-04-08 at 10:47 -0700, Eric Dumazet wrote:
> > This kind of requirement has a huge cost, and thats why I want a hook
> > instead of a 'generic thing'
>
> I meant " I would like ... "
>
> We for example have security_inet_csk_clone()
>
> We could have security_skb_owned_by(skb, sk)
>
> I probably can send a patch, it seems quite easy.
It seems a bit fragile to me, perhaps even hacky, but in some ways I guess it
isn't anymore fragile than relying on skb->sk - as this problem demonstrates.
My other concern is that adding this hook *correctly* is likely to touch a lot
of files and may be a bit much so late in the 3.9 cycle, Dave, what say you?
Assuming that this is the preferred option, Eric, would you be open to
reverting your patch for 3.9 with the assumption that I promise to add the
hook for 3.10? You've got my word that I'll have it done ASAP.
--
paul moore
security and virtualization @ redhat
next prev parent reply other threads:[~2013-04-08 18:12 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-08 15:45 [PATCH] tcp: assign the sock correctly to an outgoing SYNACK packet Paul Moore
2013-04-08 16:14 ` David Miller
2013-04-08 17:22 ` Paul Moore
2013-04-08 17:36 ` Eric Dumazet
2013-04-08 17:40 ` Paul Moore
2013-04-08 17:47 ` Eric Dumazet
2013-04-08 18:01 ` Eric Dumazet
2013-04-08 18:12 ` Paul Moore [this message]
2013-04-08 18:21 ` Eric Dumazet
2013-04-08 18:26 ` Paul Moore
2013-04-08 18:34 ` Eric Dumazet
2013-04-08 18:30 ` Eric Dumazet
2013-04-08 20:37 ` Paul Moore
2013-04-08 20:44 ` David Miller
2013-04-08 20:53 ` Paul Moore
2013-04-08 20:55 ` Eric Dumazet
2013-04-08 21:09 ` Paul Moore
2013-04-08 21:14 ` David Miller
2013-04-08 21:17 ` Eric Dumazet
2013-04-09 3:58 ` [PATCH] selinux: add a skb_owned_by() hook Eric Dumazet
2013-04-09 4:29 ` Casey Schaufler
2013-04-09 4:41 ` David Miller
2013-04-09 5:14 ` Casey Schaufler
2013-04-09 11:39 ` Paul Moore
2013-04-09 6:24 ` Eric Dumazet
2013-04-09 11:45 ` Paul Moore
2013-04-09 7:38 ` James Morris
2013-04-09 12:06 ` Paul Moore
2013-04-09 17:23 ` David Miller
2013-04-08 18:32 ` [PATCH] tcp: assign the sock correctly to an outgoing SYNACK packet Paul Moore
2013-04-08 21:10 ` Paul Moore
2013-04-08 21:15 ` David Miller
2013-04-08 21:24 ` Paul Moore
2013-04-08 21:33 ` David Miller
2013-04-08 22:01 ` Paul Moore
2013-04-08 22:08 ` David Miller
2013-04-08 23:40 ` Casey Schaufler
2013-04-09 0:33 ` Eric Dumazet
2013-04-09 0:59 ` Casey Schaufler
2013-04-09 1:09 ` Eric Dumazet
2013-04-09 1:24 ` Casey Schaufler
2013-04-09 13:19 ` Paul Moore
2013-04-09 13:33 ` Paul Moore
2013-04-09 14:00 ` Eric Dumazet
2013-04-09 14:19 ` Paul Moore
2013-04-09 14:31 ` Eric Dumazet
2013-04-09 14:52 ` Paul Moore
2013-04-09 15:05 ` Paul Moore
2013-04-09 15:07 ` Eric Dumazet
2013-04-09 15:17 ` Paul Moore
2013-04-09 15:32 ` Eric Dumazet
2013-04-09 15:57 ` Paul Moore
2013-04-09 16:11 ` Casey Schaufler
2013-04-09 16:56 ` David Miller
2013-04-09 17:00 ` Paul Moore
2013-04-09 17:09 ` David Miller
2013-04-09 17:10 ` David Miller
2013-04-09 14:05 ` Ben Hutchings
2013-04-09 14:10 ` Paul Moore
2013-04-08 21:34 ` Ben Hutchings
2013-04-08 19:25 ` David Miller
2013-04-08 16:19 ` Eric Dumazet
2013-04-08 18:03 ` Sergei Shtylyov
2013-04-08 18:12 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1725553.maWFXblPLa@sifl \
--to=pmoore@redhat.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=mvadkert@redhat.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).