| Message ID | 20101116215257.6727.12163.stgit@paris.rdu.redhat.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
On 16.11.2010 22:52, Eric Paris wrote: > The SELinux netfilter hooks just return NF_DROP if they drop a packet. We > want to signal that a drop in this hook is a permanant fatal error and is not > transient. If we do this the error will be passed back up the stack in some > places and applications will get a faster interaction that something went > wrong. Looks good to me. I'd suggest to have these patches go through Dave's tree since I want to make use of the netfilter error propagation mechanism to return proper errno codes for netfilter re-routing failures. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, 2010-11-17 at 12:43 +0100, Patrick McHardy wrote: > On 16.11.2010 22:52, Eric Paris wrote: > > The SELinux netfilter hooks just return NF_DROP if they drop a packet. We > > want to signal that a drop in this hook is a permanant fatal error and is not > > transient. If we do this the error will be passed back up the stack in some > > places and applications will get a faster interaction that something went > > wrong. > > Looks good to me. I'd suggest to have these patches go through Dave's > tree since I want to make use of the netfilter error propagation > mechanism to return proper errno codes for netfilter re-routing > failures. I'd be happy if Dave pulled patches 1 and 2. I can resend patch #3 once I can cajole another of the SELinux maintainers to look at it (I believe he most likely one is on vacation this week) -Eric -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Eric Paris <eparis@redhat.com> Date: Wed, 17 Nov 2010 09:38:59 -0500 > On Wed, 2010-11-17 at 12:43 +0100, Patrick McHardy wrote: >> On 16.11.2010 22:52, Eric Paris wrote: >> > The SELinux netfilter hooks just return NF_DROP if they drop a packet. We >> > want to signal that a drop in this hook is a permanant fatal error and is not >> > transient. If we do this the error will be passed back up the stack in some >> > places and applications will get a faster interaction that something went >> > wrong. >> >> Looks good to me. I'd suggest to have these patches go through Dave's >> tree since I want to make use of the netfilter error propagation >> mechanism to return proper errno codes for netfilter re-routing >> failures. > > > I'd be happy if Dave pulled patches 1 and 2. I can resend patch #3 once > I can cajole another of the SELinux maintainers to look at it (I believe > he most likely one is on vacation this week) I think it's best to pull this all into net-next-2.6 now, so that's what I'm doing right now. If there are problems we can apply changes on top. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Eric Paris <eparis@redhat.com> Date: Tue, 16 Nov 2010 16:52:57 -0500 > The SELinux netfilter hooks just return NF_DROP if they drop a packet. We > want to signal that a drop in this hook is a permanant fatal error and is not > transient. If we do this the error will be passed back up the stack in some > places and applications will get a faster interaction that something went > wrong. > > Signed-off-by: Eric Paris <eparis@redhat.com> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8ba5001..b1104f9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4594,11 +4594,11 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, secmark_perm = PACKET__SEND; break; default: - return NF_DROP; + return NF_DROP_ERR(-ECONNREFUSED); } if (secmark_perm == PACKET__FORWARD_OUT) { if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) - return NF_DROP; + return NF_DROP_ERR(-ECONNREFUSED); } else peer_sid = SECINITSID_KERNEL; } else { @@ -4611,28 +4611,28 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, ad.u.net.netif = ifindex; ad.u.net.family = family; if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) - return NF_DROP; + return NF_DROP_ERR(-ECONNREFUSED); if (secmark_active) if (avc_has_perm(peer_sid, skb->secmark, SECCLASS_PACKET, secmark_perm, &ad)) - return NF_DROP; + return NF_DROP_ERR(-ECONNREFUSED); if (peerlbl_active) { u32 if_sid; u32 node_sid; if (sel_netif_sid(ifindex, &if_sid)) - return NF_DROP; + return NF_DROP_ERR(-ECONNREFUSED); if (avc_has_perm(peer_sid, if_sid, SECCLASS_NETIF, NETIF__EGRESS, &ad)) - return NF_DROP; + return NF_DROP_ERR(-ECONNREFUSED); if (sel_netnode_sid(addrp, family, &node_sid)) - return NF_DROP; + return NF_DROP_ERR(-ECONNREFUSED); if (avc_has_perm(peer_sid, node_sid, SECCLASS_NODE, NODE__SENDTO, &ad)) - return NF_DROP; + return NF_DROP_ERR(-ECONNREFUSED); } return NF_ACCEPT;
The SELinux netfilter hooks just return NF_DROP if they drop a packet. We want to signal that a drop in this hook is a permanant fatal error and is not transient. If we do this the error will be passed back up the stack in some places and applications will get a faster interaction that something went wrong. Signed-off-by: Eric Paris <eparis@redhat.com> --- security/selinux/hooks.c | 16 ++++++++-------- 1 files changed, 8 insertions(+), 8 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html