From: Paul Moore <paul.moore@hp.com>
To: Eric Paris <eparis@redhat.com>
Cc: linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org,
netfilter@vger.kernel.org, jmorris@namei.org,
selinux@tycho.nsa.gov, sds@tycho.nsa.gov, jengelh@medozas.de,
linux-security-module@vger.kernel.org,
mr.dash.four@googlemail.com, pablo@netfilter.org
Subject: Re: [PATCH 5/5] secmark: export secctx, drop secmark in procfs
Date: Tue, 12 Oct 2010 19:19:56 -0400 [thread overview]
Message-ID: <1286925596.5133.102.camel@sifl> (raw)
In-Reply-To: <20101012154035.26943.35175.stgit@paris.rdu.redhat.com>
On Tue, 2010-10-12 at 11:40 -0400, Eric Paris wrote:
> The current secmark code exports a secmark= field which just indicates if
> there is special labeling on a packet or not. We drop this field as it
> isn't particularly useful and instead export a new field secctx= which is
> the actual human readable text label.
Looks reasonable to me, just some small nits/questions below ...
> Signed-off-by: Eric Paris <eparis@redhat.com>
> ---
>
> .../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 27 ++++++++++++++++++--
> net/netfilter/nf_conntrack_standalone.c | 27 ++++++++++++++++++--
> 2 files changed, 48 insertions(+), 6 deletions(-)
>
> diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
> index 244f7cb..2ca510e 100644
> --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
> +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
> @@ -11,6 +11,7 @@
> #include <linux/proc_fs.h>
> #include <linux/seq_file.h>
> #include <linux/percpu.h>
> +#include <linux/security.h>
> #include <net/net_namespace.h>
>
> #include <linux/netfilter.h>
> @@ -87,6 +88,28 @@ static void ct_seq_stop(struct seq_file *s, void *v)
> rcu_read_unlock();
> }
>
> +#ifdef CONFIG_NF_CONNTRACK_SECMARK
> +static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
> +{
> + int len, ret;
> + char *secctx;
> +
> + ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
Here you define len as an int but the prototype calls for a u32 - is
this going to cause any compiler warnings?
> + if (ret)
> + return ret;
> +
> + ret = seq_printf(s, "secctx=%s ", secctx);
> +
> + security_release_secctx(secctx, len);
> + return ret;
> +}
> +#else
> +static inline int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
> +{
> + return 0;
> +}
> +#endif
> +
> static int ct_seq_show(struct seq_file *s, void *v)
> {
> struct nf_conntrack_tuple_hash *hash = v;
> @@ -148,10 +171,8 @@ static int ct_seq_show(struct seq_file *s, void *v)
> goto release;
> #endif
>
> -#ifdef CONFIG_NF_CONNTRACK_SECMARK
> - if (seq_printf(s, "secmark=%u ", ct->secmark))
> + if (ct_show_secctx(s, ct))
> goto release;
> -#endif
>
> if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)))
> goto release;
> diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
> index eb973fc..a6985da 100644
> --- a/net/netfilter/nf_conntrack_standalone.c
> +++ b/net/netfilter/nf_conntrack_standalone.c
> @@ -15,6 +15,7 @@
> #include <linux/seq_file.h>
> #include <linux/percpu.h>
> #include <linux/netdevice.h>
> +#include <linux/security.h>
> #include <net/net_namespace.h>
> #ifdef CONFIG_SYSCTL
> #include <linux/sysctl.h>
> @@ -108,6 +109,28 @@ static void ct_seq_stop(struct seq_file *s, void *v)
> rcu_read_unlock();
> }
>
> +#ifdef CONFIG_NF_CONNTRACK_SECMARK
> +static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
> +{
> + int len, ret;
> + char *secctx;
> +
> + ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
Same concern as above.
> + if (ret)
> + return ret;
> +
> + ret = seq_printf(s, "secctx=%s ", secctx);
> +
> + security_release_secctx(secctx, len);
> + return ret;
> +}
> +#else
> +static inline int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
> +{
> + return 0;
> +}
> +#endif
> +
> /* return 0 on success, 1 in case of error */
> static int ct_seq_show(struct seq_file *s, void *v)
> {
> @@ -168,10 +191,8 @@ static int ct_seq_show(struct seq_file *s, void *v)
> goto release;
> #endif
>
> -#ifdef CONFIG_NF_CONNTRACK_SECMARK
> - if (seq_printf(s, "secmark=%u ", ct->secmark))
> + if (ct_show_secctx(s, ct))
> goto release;
> -#endif
>
> #ifdef CONFIG_NF_CONNTRACK_ZONES
> if (seq_printf(s, "zone=%u ", nf_ct_zone(ct)))
>
--
paul moore
linux @ hp
next prev parent reply other threads:[~2010-10-12 23:20 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-12 15:40 [PATCH 1/5] secmark: do not return early if there was no error Eric Paris
2010-10-12 15:40 ` [PATCH 2/5] secmark: make secmark object handling generic Eric Paris
2010-10-12 16:26 ` Jan Engelhardt
2010-10-12 17:24 ` Pablo Neira Ayuso
2010-10-12 17:45 ` Eric Paris
2010-10-12 17:53 ` Jan Engelhardt
2010-10-12 18:15 ` Pablo Neira Ayuso
2010-10-12 22:55 ` Paul Moore
2010-10-12 23:01 ` Eric Paris
2010-10-12 23:06 ` Paul Moore
2010-10-12 23:14 ` Eric Paris
2010-10-12 23:20 ` Paul Moore
2010-10-12 15:40 ` [PATCH 3/5] security: secid_to_secctx returns len when data is NULL Eric Paris
2010-10-12 23:04 ` Paul Moore
2010-10-12 15:40 ` [PATCH 4/5] conntrack: export lsm context rather than internal secid via netlink Eric Paris
2010-10-12 23:14 ` Paul Moore
2010-10-12 23:24 ` Eric Paris
2010-10-13 13:41 ` Paul Moore
2010-10-12 15:40 ` [PATCH 5/5] secmark: export secctx, drop secmark in procfs Eric Paris
2010-10-12 23:19 ` Paul Moore [this message]
2010-10-12 23:27 ` Eric Paris
2010-10-12 22:52 ` [PATCH 1/5] secmark: do not return early if there was no error Paul Moore
2010-10-12 23:38 ` James Morris
2010-10-12 23:50 ` Eric Paris
2010-10-13 4:07 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1286925596.5133.102.camel@sifl \
--to=paul.moore@hp.com \
--cc=eparis@redhat.com \
--cc=jengelh@medozas.de \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mr.dash.four@googlemail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).