Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity

From: Stephen Smalley
Date: Thu Oct 07 2004 - 09:02:49 EST

Next message: Alan Cox: "RE: [Patch] new serial flow control"
Previous message: Rui Nuno Capela: "Re: [patch] voluntary-preempt-2.6.9-rc3-mm3-T3"
In reply to: Valdis . Kletnieks: "2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity"
Next in thread: Ingo Molnar: "Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2004-10-07 at 01:42, Valdis.Kletnieks@xxxxxx wrote:
> audit(1097111349.727:0): avc: denied { tcp_recv } for pid=2 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=59639 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:netif_lo_t tclass=netif
> audit(1097111349.754:0): avc: denied { tcp_recv } for pid=2 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=59639 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:node_lo_t tclass=node
> audit(1097111349.782:0): avc: denied { recv_msg } for pid=2 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=59639 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket
>
> At least for the recv_msg error, I *think* the message is generated because
> when we get into net/socket.c, we call security_socket_recvmsg() in
> __recv_msg() - and (possibly only when we have the VP patch applied?) at that
> point we're in a softirqd context rather than the context of the process that
> will finally receive the packet, so the SELinux code ends up checking the wrong
> credentials. I've not waded through the code enough to figure out exactly
> where the two tcp_recv messages are generated, but I suspect the root cause is
> the same for all three messages.

Valdis,

These permission checks are based on the receiving socket security
context, not any process security context, and are performed by the
sock_rcv_skb hook when mediating packet receipt on a socket. The
auxiliary pid and comm or exe information is meaningless for such
checks. avc_audit could possibly be modified to check whether we are in
softirq and omit them in those cases from the audit messages. This has
been discussed previously on the selinux mailing list, please see the
archives.

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "RE: [Patch] new serial flow control"
Previous message: Rui Nuno Capela: "Re: [patch] voluntary-preempt-2.6.9-rc3-mm3-T3"
In reply to: Valdis . Kletnieks: "2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity"
Next in thread: Ingo Molnar: "Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]