From patchwork Wed Apr 13 21:37:42 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 8828871 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id CCD1F9F3D1 for ; Wed, 13 Apr 2016 21:43:20 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id F2E4A20357 for ; Wed, 13 Apr 2016 21:43:19 +0000 (UTC) Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [8.44.101.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BBB2D202D1 for ; Wed, 13 Apr 2016 21:43:18 +0000 (UTC) X-TM-IMSS-Message-ID: <34a901bb0002b434@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1) id 34a901bb0002b434 ; Wed, 13 Apr 2016 17:41:27 -0400 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3DLfeZt003284; Wed, 13 Apr 2016 17:41:42 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u3DLbmYm208197 for ; Wed, 13 Apr 2016 17:37:48 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3DLblDo002057 for ; Wed, 13 Apr 2016 17:37:48 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1DWBwDfug5Xkxy3hNFeGwEBg3BGNIonnXSGWolJhA6GDoIMAQEBAQEBEwEBAQEHDQkJIXASAYQXBFIwBQImAiMmKYgUAxKwV40TDYUjASl8hSWBfYUPhH6CVgWHcoVeigcxjBiLL4VUAodLh1yCZhEIFYFRIDCGPYM9AQEB X-IPAS-Result: A1DWBwDfug5Xkxy3hNFeGwEBg3BGNIonnXSGWolJhA6GDoIMAQEBAQEBEwEBAQEHDQkJIXASAYQXBFIwBQImAiMmKYgUAxKwV40TDYUjASl8hSWBfYUPhH6CVgWHcoVeigcxjBiLL4VUAodLh1yCZhEIFYFRIDCGPYM9AQEB X-IronPort-AV: E=Sophos;i="5.24,481,1454994000"; d="scan'208";a="5378133" Received: from emvm-gh1-uea09.nsa.gov ([10.208.42.194]) by goalie.tycho.ncsc.mil with ESMTP; 13 Apr 2016 17:37:47 -0400 X-TM-IMSS-Message-ID: <8083ba6c00025893@nsa.gov> Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by nsa.gov ([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 ADH-AES256-SHA (256/256)) id 8083ba6c00025893 ; Wed, 13 Apr 2016 17:37:34 -0400 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 03A447F09D; Wed, 13 Apr 2016 21:37:44 +0000 (UTC) Received: from [127.0.0.1] (vpn-63-226.rdu2.redhat.com [10.10.63.226]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u3DLbhtK014349; Wed, 13 Apr 2016 17:37:43 -0400 Subject: [RFC PATCH] selinux: always return a value from the netport/netnode/netif caches From: Paul Moore To: selinux@tycho.nsa.gov Date: Wed, 13 Apr 2016 17:37:42 -0400 Message-ID: <146058346288.11989.9543589385643222847.stgit@localhost> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-TM-AS-MML: disable X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Paul Moore Even if we are under memory pressure and can't allocate a new cache node we can still return the port/node/iface value we looked up from the policy. Reported-by: Greg Signed-off-by: Paul Moore --- security/selinux/netif.c | 35 +++++++++++++---------------------- security/selinux/netnode.c | 31 +++++++++++++++++-------------- security/selinux/netport.c | 19 ++++++++----------- 3 files changed, 38 insertions(+), 47 deletions(-) diff --git a/security/selinux/netif.c b/security/selinux/netif.c index e607b44..5c3bfa4 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c @@ -91,18 +91,16 @@ static inline struct sel_netif *sel_netif_find(const struct net *ns, * zero on success, negative values on failure. * */ -static int sel_netif_insert(struct sel_netif *netif) +static void sel_netif_insert(struct sel_netif *netif) { int idx; if (sel_netif_total >= SEL_NETIF_HASH_MAX) - return -ENOSPC; + return; idx = sel_netif_hashfn(netif->nsec.ns, netif->nsec.ifindex); list_add_rcu(&netif->list, &sel_netif_hash[idx]); sel_netif_total++; - - return 0; } /** @@ -135,7 +133,7 @@ static void sel_netif_destroy(struct sel_netif *netif) */ static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid) { - int ret; + int ret = 0; struct sel_netif *netif; struct sel_netif *new = NULL; struct net_device *dev; @@ -155,34 +153,27 @@ static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid) netif = sel_netif_find(ns, ifindex); if (netif != NULL) { *sid = netif->nsec.sid; - ret = 0; goto out; } - new = kzalloc(sizeof(*new), GFP_ATOMIC); - if (new == NULL) { - ret = -ENOMEM; + ret = security_netif_sid(dev->name, sid); + if (ret != 0) { + printk(KERN_WARNING + "SELinux: failure in sel_netif_sid_slow()," + " unable to determine network interface label (%d)\n", + ifindex); goto out; } - ret = security_netif_sid(dev->name, &new->nsec.sid); - if (ret != 0) + new = kzalloc(sizeof(*new), GFP_ATOMIC); + if (new == NULL) goto out; new->nsec.ns = ns; new->nsec.ifindex = ifindex; - ret = sel_netif_insert(new); - if (ret != 0) - goto out; - *sid = new->nsec.sid; + new->nsec.sid = *sid; + sel_netif_insert(new); out: spin_unlock_bh(&sel_netif_lock); dev_put(dev); - if (unlikely(ret)) { - printk(KERN_WARNING - "SELinux: failure in sel_netif_sid_slow()," - " unable to determine network interface label (%d)\n", - ifindex); - kfree(new); - } return ret; } diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index da923f8..b752bd2 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c @@ -199,7 +199,7 @@ static void sel_netnode_insert(struct sel_netnode *node) */ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid) { - int ret = -ENOMEM; + int ret; struct sel_netnode *node; struct sel_netnode *new = NULL; @@ -210,39 +210,42 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid) spin_unlock_bh(&sel_netnode_lock); return 0; } - new = kzalloc(sizeof(*new), GFP_ATOMIC); - if (new == NULL) - goto out; switch (family) { case PF_INET: ret = security_node_sid(PF_INET, addr, sizeof(struct in_addr), sid); - new->nsec.addr.ipv4 = *(__be32 *)addr; break; case PF_INET6: ret = security_node_sid(PF_INET6, addr, sizeof(struct in6_addr), sid); - new->nsec.addr.ipv6 = *(struct in6_addr *)addr; break; default: BUG(); ret = -EINVAL; } - if (ret != 0) + if (ret != 0) { + printk(KERN_WARNING + "SELinux: failure in sel_netnode_sid_slow()," + " unable to determine network node label\n"); goto out; - + } + new = kzalloc(sizeof(*new), GFP_ATOMIC); + if (new == NULL) + goto out; + switch (family) { + case PF_INET: + new->nsec.addr.ipv4 = *(__be32 *)addr; + break; + case PF_INET6: + new->nsec.addr.ipv6 = *(struct in6_addr *)addr; + break; + } new->nsec.family = family; new->nsec.sid = *sid; sel_netnode_insert(new); out: spin_unlock_bh(&sel_netnode_lock); - if (unlikely(ret)) { - printk(KERN_WARNING - "SELinux: failure in sel_netnode_sid_slow()," - " unable to determine network node label\n"); - kfree(new); - } return ret; } diff --git a/security/selinux/netport.c b/security/selinux/netport.c index 3311cc3..189c293 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c @@ -147,7 +147,7 @@ static void sel_netport_insert(struct sel_netport *port) */ static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid) { - int ret = -ENOMEM; + int ret; struct sel_netport *port; struct sel_netport *new = NULL; @@ -158,13 +158,16 @@ static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid) spin_unlock_bh(&sel_netport_lock); return 0; } + ret = security_port_sid(protocol, pnum, sid); + if (ret != 0) { + printk(KERN_WARNING + "SELinux: failure in sel_netport_sid_slow()," + " unable to determine network port label\n"); + goto out; + } new = kzalloc(sizeof(*new), GFP_ATOMIC); if (new == NULL) goto out; - ret = security_port_sid(protocol, pnum, sid); - if (ret != 0) - goto out; - new->psec.port = pnum; new->psec.protocol = protocol; new->psec.sid = *sid; @@ -172,12 +175,6 @@ static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid) out: spin_unlock_bh(&sel_netport_lock); - if (unlikely(ret)) { - printk(KERN_WARNING - "SELinux: failure in sel_netport_sid_slow()," - " unable to determine network port label\n"); - kfree(new); - } return ret; }