Re: [PATCH] SMACK netfilter smacklabel socket match

From: etienne
Date: Wed Feb 18 2009 - 02:23:39 EST

Next message: etienne: "Re: [PATCH] SMACK smacklabel : apply &MASK to IP inserted in /smack/netlabel"
Previous message: Greg KH: "Re: [PATCH v9 6/7] PCI: document SR-IOV sysfs entries"
In reply to: Paul Moore: "Re: [PATCH] SMACK netfilter smacklabel socket match"
Next in thread: Paul Moore: "Re: [PATCH] SMACK netfilter smacklabel socket match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Paul Moore wrote:
> On Tuesday 17 February 2009 03:01:15 pm etienne wrote:
>> I realize this patch is a little ugly, a cleaner way would be to insert
>> struct smk_netlbladdr sorted from longest to smallest mask and break the
>> loop as soon as we have a match... regards,
>
> Agreed, the address matching code really should be improved; if you feel like
> you could contribute the changes I'm pretty sure Casey would welcome the
> patches :)
>
yes I could try that, this week-end maybe

> Regarding your fix below, I think a cleaner solution would be to do something
> like the following in place of the existing mask check ...
>
> if ((miap->s_addr & bestmask.s_addr) || (bestmask.s_addr == 0)) {
> bestmask.s_addr = miap->s_addr;
> bestlabel = snp->smk_label;
> }
>
> ... however there is one small problem with this approach (your proposal
> suffers from the same issue): normally the smack_host_label() code prefers the
> first matching entry in the list, the change above preserves that with the
> exception of a 0.0.0.0/0 entry. Granted, you shouldn't allow that in the
> first place but I believe it is possible so it is something that needs to be
> taken into consideration.
>
hummm... I didn't see it that way; I think this function is basically a reimplementation of IPv4 classless routing (longest match first)?
anyway, I think the cleanest way would be to, well, sort smk_netlbladdr by mask on insertion (perf doesn't matter here) and this way smack_host_label can stop the loop on first match.
Plus, it would give a nicer /smack/netlabel ouptut :)

so, how should we handle it? apply the patches (with whitespaces damages corrected ;) ) now (as it corrects a bug) an elaborate the cleaner way later?
I think this should go to stable too?

regards
Etienne

>> Signed-off-by: Etienne <etienne.basset@xxxxxxxxxxxxxx>
>> ------
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index 0278bc0..9d2576d 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -1540,7 +1540,7 @@ static char *smack_host_label(struct sockaddr_in
>> *sip) * If the list entry mask is less specific than the best * already
>> found this entry is uninteresting.
>> */
>> - if ((miap->s_addr | bestmask.s_addr) == bestmask.s_addr)
>> + if ( ((miap->s_addr | bestmask.s_addr) == bestmask.s_addr)
>> && (miap->s_addr | bestmask.s_addr) != 0 ) continue;
>> /*
>> * This is better than any entry found so far.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: etienne: "Re: [PATCH] SMACK smacklabel : apply &MASK to IP inserted in /smack/netlabel"
Previous message: Greg KH: "Re: [PATCH v9 6/7] PCI: document SR-IOV sysfs entries"
In reply to: Paul Moore: "Re: [PATCH] SMACK netfilter smacklabel socket match"
Next in thread: Paul Moore: "Re: [PATCH] SMACK netfilter smacklabel socket match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]