From: Florian Westphal <fw@strlen.de>
To: Roman Kubiak <r.kubiak@samsung.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v2] nfnetlink_queue: add security context information
Date: Mon, 25 May 2015 22:52:10 +0200 [thread overview]
Message-ID: <20150525205210.GG3629@breakpoint.cc> (raw)
In-Reply-To: <55634935.4020100@samsung.com>
Roman Kubiak <r.kubiak@samsung.com> wrote:
> [sidenote]
> The additional NULL at the end of the security context is there because SMACK does not add this
> to it's labels while SELinux does. So in order to avoid checking i just add it always.
> This additional byte is also represented when calculating the size.
> I did that because we are not transmitting the size of the context and there is no specified
> max length so it has to be NULL terminated (at least it seemed like a valid solution)
The netlink header contains the size of the attribute.
I'd prefer to not have the kernel deal with NULL termination.
> +static u32 nfqnl_get_sk_secctx(struct sock *sk, char **secdata)
> +{
> + u32 secid = 0;
> + u32 seclen = 0;
> + int ret = -1;
> +
> + if (!sk || !sk_fullsock(sk))
> + return ret;
return 0/return seclen?
> + if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) {
> + seclen = nfqnl_get_sk_secctx(entskb->sk, &secdata);
> + if (seclen > 0)
> + size += nla_total_size(seclen) + 1;
Wrong intent level for if (seclen > 0)
Other than this, it looks ok to me.
next prev parent reply other threads:[~2015-05-25 20:52 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-25 10:16 [PATCH] Security context information added to netfilter_queue Roman Kubiak
2015-05-25 10:48 ` Florian Westphal
2015-05-25 13:13 ` Pablo Neira Ayuso
2015-05-25 16:09 ` [PATCH v2] nfnetlink_queue: add security context information Roman Kubiak
2015-05-25 20:52 ` Florian Westphal [this message]
2015-05-26 12:29 ` Roman Kubiak
2015-05-26 13:06 ` Florian Westphal
2015-05-27 11:04 ` [PATCH v3] " Roman Kubiak
2015-05-27 11:12 ` Roman Kubiak
2015-05-27 12:49 ` Pablo Neira Ayuso
2015-06-10 15:20 ` Roman Kubiak
2015-06-10 16:05 ` Florian Westphal
2015-06-11 12:56 ` Roman Kubiak
2015-06-11 23:37 ` Florian Westphal
2015-06-12 10:32 ` Roman Kubiak
2015-06-12 10:42 ` Florian Westphal
2015-06-12 13:02 ` [PATCH v3] nfnetlink_queue: add security context informationg Pablo Neira Ayuso
2015-06-16 12:25 ` [PATCH] libmnl: security context retrieval in nf-queue example Roman Kubiak
2015-06-16 12:37 ` Pablo Neira Ayuso
2015-06-16 12:58 ` Roman Kubiak
2015-06-16 15:25 ` Pablo Neira Ayuso
2015-06-16 16:14 ` Roman Kubiak
2015-06-30 15:33 ` Pablo Neira Ayuso
2015-06-18 19:02 ` [PATCH v3] nfnetlink_queue: add security context information Pablo Neira Ayuso
2015-05-27 11:48 ` Florian Westphal
2015-05-28 16:11 ` Roman Kubiak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150525205210.GG3629@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=r.kubiak@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).