Message ID | 20191113182506.2580-2-casey@schaufler-ca.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [v11,01/25] LSM: Infrastructure management of the sock security | expand |
On 11/13/19 10:24 AM, Casey Schaufler wrote: > Change netlink netfilter interfaces to use lsmcontext > pointers, and remove scaffolding. > > Reviewed-by: Kees Cook <keescook@chromium.org> > Reviewed-by: John Johansen <john.johansen@canonical.com> > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > cc: netdev@vger.kernel.org Acked-by: John Johansen <john.johansen@canonical.com> > --- > net/netfilter/nfnetlink_queue.c | 32 +++++++++++++------------------- > 1 file changed, 13 insertions(+), 19 deletions(-) > > diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c > index 2d6668fd026c..a1296453d8f2 100644 > --- a/net/netfilter/nfnetlink_queue.c > +++ b/net/netfilter/nfnetlink_queue.c > @@ -301,12 +301,10 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk) > return -1; > } > > -static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) > +static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context) > { > - u32 seclen = 0; > #if IS_ENABLED(CONFIG_NETWORK_SECMARK) > struct lsmblob blob; > - struct lsmcontext context = { }; > > if (!skb || !sk_fullsock(skb->sk)) > return 0; > @@ -314,15 +312,16 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) > read_lock_bh(&skb->sk->sk_callback_lock); > > if (skb->secmark) { > + /* Any LSM might be looking for the secmark */ > lsmblob_init(&blob, skb->secmark); > - security_secid_to_secctx(&blob, &context); > - *secdata = context.context; > + security_secid_to_secctx(&blob, context); > } > > read_unlock_bh(&skb->sk->sk_callback_lock); > - seclen = context.len; > + return context->len; > +#else > + return 0; > #endif > - return seclen; > } > > static u32 nfqnl_get_bridge_size(struct nf_queue_entry *entry) > @@ -398,8 +397,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, > enum ip_conntrack_info uninitialized_var(ctinfo); > struct nfnl_ct_hook *nfnl_ct; > bool csum_verify; > - struct lsmcontext scaff; /* scaffolding */ > - char *secdata = NULL; > + struct lsmcontext context = { }; > u32 seclen = 0; > > size = nlmsg_total_size(sizeof(struct nfgenmsg)) > @@ -466,7 +464,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, > } > > if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) { > - seclen = nfqnl_get_sk_secctx(entskb, &secdata); > + seclen = nfqnl_get_sk_secctx(entskb, &context); > if (seclen) > size += nla_total_size(seclen); > } > @@ -601,7 +599,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, > nfqnl_put_sk_uidgid(skb, entskb->sk) < 0) > goto nla_put_failure; > > - if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata)) > + if (seclen && nla_put(skb, NFQA_SECCTX, context.len, context.context)) > goto nla_put_failure; > > if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0) > @@ -629,10 +627,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, > } > > nlh->nlmsg_len = skb->len; > - if (seclen) { > - lsmcontext_init(&scaff, secdata, seclen, 0); > - security_release_secctx(&scaff); > - } > + if (seclen) > + security_release_secctx(&context); > return skb; > > nla_put_failure: > @@ -640,10 +636,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, > kfree_skb(skb); > net_err_ratelimited("nf_queue: error creating packet message\n"); > nlmsg_failure: > - if (seclen) { > - lsmcontext_init(&scaff, secdata, seclen, 0); > - security_release_secctx(&scaff); > - } > + if (seclen) > + security_release_secctx(&context); > return NULL; > } > >
On Thu, 21 Nov 2019, John Johansen wrote: > On 11/13/19 10:24 AM, Casey Schaufler wrote: > > Change netlink netfilter interfaces to use lsmcontext > > pointers, and remove scaffolding. > > > > Reviewed-by: Kees Cook <keescook@chromium.org> > > Reviewed-by: John Johansen <john.johansen@canonical.com> > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > > cc: netdev@vger.kernel.org > > Acked-by: John Johansen <john.johansen@canonical.com> Just to clarify, you don't need to ack if you've already added a reviewed-by, I just want to make sure all of the patches have some kind of signoff.
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 2d6668fd026c..a1296453d8f2 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -301,12 +301,10 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk) return -1; } -static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) +static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context) { - u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) struct lsmblob blob; - struct lsmcontext context = { }; if (!skb || !sk_fullsock(skb->sk)) return 0; @@ -314,15 +312,16 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) read_lock_bh(&skb->sk->sk_callback_lock); if (skb->secmark) { + /* Any LSM might be looking for the secmark */ lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, &context); - *secdata = context.context; + security_secid_to_secctx(&blob, context); } read_unlock_bh(&skb->sk->sk_callback_lock); - seclen = context.len; + return context->len; +#else + return 0; #endif - return seclen; } static u32 nfqnl_get_bridge_size(struct nf_queue_entry *entry) @@ -398,8 +397,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, enum ip_conntrack_info uninitialized_var(ctinfo); struct nfnl_ct_hook *nfnl_ct; bool csum_verify; - struct lsmcontext scaff; /* scaffolding */ - char *secdata = NULL; + struct lsmcontext context = { }; u32 seclen = 0; size = nlmsg_total_size(sizeof(struct nfgenmsg)) @@ -466,7 +464,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) { - seclen = nfqnl_get_sk_secctx(entskb, &secdata); + seclen = nfqnl_get_sk_secctx(entskb, &context); if (seclen) size += nla_total_size(seclen); } @@ -601,7 +599,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, nfqnl_put_sk_uidgid(skb, entskb->sk) < 0) goto nla_put_failure; - if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata)) + if (seclen && nla_put(skb, NFQA_SECCTX, context.len, context.context)) goto nla_put_failure; if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0) @@ -629,10 +627,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (seclen) + security_release_secctx(&context); return skb; nla_put_failure: @@ -640,10 +636,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (seclen) + security_release_secctx(&context); return NULL; }