| Message ID | 163466736648.20044.16531188246866586566.stgit@olly (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | selinux: fix a sock regression in selinux_ip_postroute_compat() | expand |
On Tue, Oct 19, 2021 at 8:16 PM Paul Moore <paul@paul-moore.com> wrote: > Unfortunately we can't rely on nf_hook_state->sk being the proper > originating socket so revert to using skb_to_full_sk(skb). > > Fixes: 1d1e1ded1356 ("1d1e1ded13568be81a0e19d228e310a48997bec8") This doesn't seem right :) > Reported-by: Linux Kernel Functional Testing <lkft@linaro.org> > Suggested-by: Florian Westphal <fw@strlen.de> > Signed-off-by: Paul Moore <paul@paul-moore.com> > --- > security/selinux/hooks.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index b4a1bde20261..6f08cd2fc6a8 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -5778,9 +5778,9 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, > struct lsm_network_audit net = {0,}; > u8 proto; > > - if (state->sk == NULL) > - return NF_ACCEPT; > sk = skb_to_full_sk(skb); > + if (sk == NULL) > + return NF_ACCEPT; > sksec = sk->sk_security; > > ad.type = LSM_AUDIT_DATA_NET; >
On Tue, Oct 19, 2021 at 4:51 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > On Tue, Oct 19, 2021 at 8:16 PM Paul Moore <paul@paul-moore.com> wrote: > > Unfortunately we can't rely on nf_hook_state->sk being the proper > > originating socket so revert to using skb_to_full_sk(skb). > > > > Fixes: 1d1e1ded1356 ("1d1e1ded13568be81a0e19d228e310a48997bec8") > > This doesn't seem right :) It does seem a little off, doesn't it? Thanks for catching this, I fixed it up in my local tree. In case anyone is interested in my long winded excuse ... I replaced my old trusty mouse this morning (one of the buttons was starting to become decidedly un-trusty) and while switching between my Linux system and my Windows system (employer VPN box) I learned that my new mouse actually gets reprogrammed on-the-fly by the Windows driver/config-software such that my middle mouse button was non-functional when returning the Linux and hence my usual workflow of "highlight and middle-click" was temporarily replaced with ctrl-c and crtl-v which was awkward and resulted in some copy-n-paste snafus. I wanted to get the patch posted to the list so I did that before finding a solution to my mouse problems, perhaps that wasn't the best order :)
On Tue, Oct 19, 2021 at 2:16 PM Paul Moore <paul@paul-moore.com> wrote: > > Unfortunately we can't rely on nf_hook_state->sk being the proper > originating socket so revert to using skb_to_full_sk(skb). > > Fixes: 1d1e1ded1356 ("1d1e1ded13568be81a0e19d228e310a48997bec8") > Reported-by: Linux Kernel Functional Testing <lkft@linaro.org> > Suggested-by: Florian Westphal <fw@strlen.de> > Signed-off-by: Paul Moore <paul@paul-moore.com> > --- > security/selinux/hooks.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Merged into selinux/next, with the corrected Fixes line that Ondrej pointed out.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b4a1bde20261..6f08cd2fc6a8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5778,9 +5778,9 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, struct lsm_network_audit net = {0,}; u8 proto; - if (state->sk == NULL) - return NF_ACCEPT; sk = skb_to_full_sk(skb); + if (sk == NULL) + return NF_ACCEPT; sksec = sk->sk_security; ad.type = LSM_AUDIT_DATA_NET;
Unfortunately we can't rely on nf_hook_state->sk being the proper originating socket so revert to using skb_to_full_sk(skb). Fixes: 1d1e1ded1356 ("1d1e1ded13568be81a0e19d228e310a48997bec8") Reported-by: Linux Kernel Functional Testing <lkft@linaro.org> Suggested-by: Florian Westphal <fw@strlen.de> Signed-off-by: Paul Moore <paul@paul-moore.com> --- security/selinux/hooks.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)