From: Paul Moore <paul.moore@hp.com>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: linux-security-module@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH] LSM: Add security_socket_post_accept() and security_socket_post_recv_datagram().
Date: Tue, 14 Apr 2009 18:59:56 -0400 [thread overview]
Message-ID: <200904141859.57965.paul.moore@hp.com> (raw)
In-Reply-To: <200904141944.JFE64074.FHtOMOFQLFJOVS@I-love.SAKURA.ne.jp>
On Tuesday 14 April 2009 06:44:35 am Tetsuo Handa wrote:
> Hello.
>
> The security_socket_post_accept() hook was recently removed because this
> hook was not used by any in-tree modules and its existence continued to
> cause problems by confusing people about what can be safely accomplished
> using this hook. Now, TOMOYO became in-tree and TOMOYO wants to add network
> access control in 2.6.31.
>
> TOMOYO is not a label based access control and won't cause packet labeling
> problem. TOMOYO won't care as long as packets are not copied to userspace.
We've discussed this issue several times on the mailing list so I won't go
over all of the details again, but I will say that my main concern with the
post_accept() hook is that you are rejecting a connection after is has already
gone through the connection handshake. I personally don't feel this is a good
approach but I don't want to stand in your way if I am alone on this point.
I'm less concerned about the recv_datagram() hook although the issues you
point out about sharing sockets across multiple processes does highlight what
I believe are some fundamental issues regarding the TOMOYO network security
model. Once again, I'm not going to object if I am the only one.
Lastly, I think in order to review these patches we need to see how they are
used. Please submit a patch set that includes both this patch as well as a
patch to TOMOYO which makes use of these changes; this way we can properly
review your patches in context. Regardless, I took a quick look and noticed a
few things (below).
Thanks.
> --- security-testing-2.6.git.orig/net/core/datagram.c
> +++ security-testing-2.6.git/net/core/datagram.c
> @@ -55,6 +55,7 @@
> #include <net/checksum.h>
> #include <net/sock.h>
> #include <net/tcp_states.h>
> +#include <linux/security.h>
>
> /*
> * Is a socket 'connection oriented' ?
> @@ -148,6 +149,7 @@ struct sk_buff *__skb_recv_datagram(stru
> {
> struct sk_buff *skb;
> long timeo;
> + unsigned long cpu_flags;
> /*
> * Caller is allowed not to check sk->sk_err before skb_recv_datagram()
> */
> @@ -165,7 +167,6 @@ struct sk_buff *__skb_recv_datagram(stru
> * Look at current nfs client by the way...
> * However, this function was corrent in any case. 8)
> */
> - unsigned long cpu_flags;
>
> spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
> skb = skb_peek(&sk->sk_receive_queue);
> @@ -179,6 +180,14 @@ struct sk_buff *__skb_recv_datagram(stru
> }
> spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
>
> + /* Filter packets from unwanted peers. */
It might be best to drop this comment, we don't want to speculate how the LSM
might be making access controls decisions here.
> + if (skb) {
> + error = security_socket_post_recv_datagram(sk, skb,
> + flags);
> + if (error)
> + goto force_dequeue;
> + }
> +
> if (skb)
> return skb;
Why check to see if skb != NULL twice? I think you should be able to move the
skb return statement into the body of the first if block.
> @@ -191,6 +200,24 @@ struct sk_buff *__skb_recv_datagram(stru
>
> return NULL;
>
> +force_dequeue:
> + /* Drop this packet because LSM says "Don't pass it to the caller". */
Once again, remove this comment since we don't know what a LSM might decide.
> + if (!(flags & MSG_PEEK))
> + goto no_peek;
> + /*
> + * If this packet is MSG_PEEK'ed, dequeue it forcibly
> + * so that this packet won't prevent the caller from picking up
> + * next packet.
> + */
> + spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
> + if (skb == skb_peek(&sk->sk_receive_queue)) {
> + __skb_unlink(skb, &sk->sk_receive_queue);
> + atomic_dec(&skb->users);
> + /* Do I have something to do with skb->peeked ? */
I don't know but you should find out before this code is merged :)
> + }
> + spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
> +no_peek:
> + kfree_skb(skb);
> no_packet:
> *err = error;
> return NULL;
--
paul moore
linux @ hp
next prev parent reply other threads:[~2009-04-14 22:59 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-14 10:44 [PATCH] LSM: Add security_socket_post_accept() and security_socket_post_recv_datagram() Tetsuo Handa
2009-04-14 22:59 ` Paul Moore [this message]
2009-04-15 5:12 ` Tetsuo Handa
2009-04-15 10:51 ` [PATCH 1/2] " Tetsuo Handa
2009-04-15 10:51 ` [PATCH 2/2] tomoyo: Add network access control support Tetsuo Handa
2009-04-16 18:23 ` [PATCH] LSM: Add security_socket_post_accept() and security_socket_post_recv_datagram() Paul Moore
2009-04-18 8:34 ` Tetsuo Handa
2009-04-20 22:22 ` Paul Moore
2009-04-21 10:54 ` Tetsuo Handa
2009-04-21 10:57 ` David Miller
2009-04-21 11:39 ` Tetsuo Handa
2009-04-21 11:40 ` David Miller
2009-04-21 12:26 ` Tetsuo Handa
2009-04-21 12:37 ` David Miller
2009-04-21 12:52 ` [PATCH] LSM: Add security_socket_post_accept() andsecurity_socket_post_recv_datagram() Tetsuo Handa
2009-04-21 13:04 ` David Miller
2009-04-22 0:55 ` [PATCH] LSM: Add security_socket_post_accept() and security_socket_post_recv_datagram() Tetsuo Handa
2009-04-22 1:14 ` David Miller
2009-04-22 1:49 ` Tetsuo Handa
2009-04-22 4:22 ` David Miller
2009-04-22 5:02 ` Tetsuo Handa
2009-04-22 5:07 ` David Miller
2009-04-22 5:38 ` Tetsuo Handa
2009-04-22 5:52 ` David Miller
2009-04-23 14:00 ` Tetsuo Handa
2009-04-23 14:10 ` David Miller
2009-04-23 14:47 ` Samir Bellabes
2009-04-22 1:52 ` Greg Lindahl
2009-04-22 4:23 ` David Miller
2009-04-22 6:10 ` Greg Lindahl
2009-04-22 6:34 ` David Miller
2009-04-22 6:41 ` Greg Lindahl
2009-04-22 6:46 ` David Miller
2009-04-22 6:54 ` Greg Lindahl
2009-04-22 6:58 ` David Miller
2009-04-22 7:19 ` Tetsuo Handa
2009-04-24 2:07 ` Tetsuo Handa
2009-04-24 4:35 ` David Miller
2009-04-24 4:41 ` David Miller
2009-04-24 4:55 ` Tetsuo Handa
2009-04-24 5:26 ` Tetsuo Handa
2009-04-24 11:40 ` David Miller
2009-04-24 13:57 ` [PATCH] LSM: Add security_socket_post_accept() andsecurity_socket_post_recv_datagram() Tetsuo Handa
2009-04-19 8:03 ` [PATCH v2] LSM: Add security_socket_post_accept() and security_socket_post_recv_datagram() Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200904141859.57965.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).