From: Florian Westphal <fw@strlen.de>
To: Roman Kubiak <r.kubiak@samsung.com>
Cc: "Florian Westphal" <fw@strlen.de>,
"Pablo Neira Ayuso" <pablo@netfilter.org>,
netfilter-devel@vger.kernel.org,
"Rafał Krypa" <r.krypa@samsung.com>
Subject: Re: [PATCH v3] nfnetlink_queue: add security context information
Date: Fri, 12 Jun 2015 01:37:57 +0200 [thread overview]
Message-ID: <20150611233757.GE7125@breakpoint.cc> (raw)
In-Reply-To: <55798582.1040903@samsung.com>
Roman Kubiak <r.kubiak@samsung.com> wrote:
> Fixes applied (i'm not sure how i should use the mask parameter to check if NFQA_CFG_F_SECCTX is set
> on the userspace side both the mask and the flag are the same value when i looked at how uid/gid
> are set, maybe this could be done better?)
[..]
> @@ -1142,7 +1170,12 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
> ret = -EOPNOTSUPP;
> goto err_out_unlock;
> }
> -
> +#if !IS_ENABLED(CONFIG_NETWORK_SECMARK)
> + if (flags == NFQA_CFG_F_SECCTX) {
> + ret = -EOPNOTSUPP;
> + goto err_out_unlock;
> + }
> +#endif
> spin_lock_bh(&queue->lock);
> queue->flags &= ~mask;
> queue->flags |= flags & mask;
Based on last two lines it appears the test should be something like
if (flags & mask & NFQA_CFG_F_SECCTX)
return -EOPNOTSUPP;
[ seems intent is to allow unsetting some flag(s) via
flags = SOME_FEAT_I_WANT;
mask = SOME_FEAT_I_WANT|SOME_FEAT_I_WANT_TO_SWITCH_OFF; ]
next prev parent reply other threads:[~2015-06-11 23:38 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-25 10:16 [PATCH] Security context information added to netfilter_queue Roman Kubiak
2015-05-25 10:48 ` Florian Westphal
2015-05-25 13:13 ` Pablo Neira Ayuso
2015-05-25 16:09 ` [PATCH v2] nfnetlink_queue: add security context information Roman Kubiak
2015-05-25 20:52 ` Florian Westphal
2015-05-26 12:29 ` Roman Kubiak
2015-05-26 13:06 ` Florian Westphal
2015-05-27 11:04 ` [PATCH v3] " Roman Kubiak
2015-05-27 11:12 ` Roman Kubiak
2015-05-27 12:49 ` Pablo Neira Ayuso
2015-06-10 15:20 ` Roman Kubiak
2015-06-10 16:05 ` Florian Westphal
2015-06-11 12:56 ` Roman Kubiak
2015-06-11 23:37 ` Florian Westphal [this message]
2015-06-12 10:32 ` Roman Kubiak
2015-06-12 10:42 ` Florian Westphal
2015-06-12 13:02 ` [PATCH v3] nfnetlink_queue: add security context informationg Pablo Neira Ayuso
2015-06-16 12:25 ` [PATCH] libmnl: security context retrieval in nf-queue example Roman Kubiak
2015-06-16 12:37 ` Pablo Neira Ayuso
2015-06-16 12:58 ` Roman Kubiak
2015-06-16 15:25 ` Pablo Neira Ayuso
2015-06-16 16:14 ` Roman Kubiak
2015-06-30 15:33 ` Pablo Neira Ayuso
2015-06-18 19:02 ` [PATCH v3] nfnetlink_queue: add security context information Pablo Neira Ayuso
2015-05-27 11:48 ` Florian Westphal
2015-05-28 16:11 ` Roman Kubiak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150611233757.GE7125@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=r.krypa@samsung.com \
--cc=r.kubiak@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).