On Thu, 11 Jul 2002, James Morris wrote: > What about utilizing the zero_it argument to sk_alloc(), so that > sk_alloc_security() is not called if its value is zero. The only time > this is zero is during the allocation of the new sk in > tcp_create_openreq_child(), and in this case, an sk security field can > then be allocated explicitly during the new hook call. For SELinux, this > would be caught by extsocket_sock_precondition() in any case, right? No, the extsocket_sock_precondition call would see the copied pointer from the listening socket (copied by the memcpy prior to the hook call), and the hook function would end up using that security blob. To function properly, the SELinux tcp_create_openreq_child hook function would need to ignore any existing value of sk->security and replace it with a pointer to a newly allocated security blob. I'm also concerned by the failure to at least clear sk->security in the case where zero_it is 0. That creates a nontrivial risk that someone will call sk_alloc with a 0 zero_it and fail to ever initialize sk->security, leading to a later failure when sk_free calls the free_security hook and garbage is contained in sk->security. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 09:08:43 PDT