Re: a problem in hooks of sock ?!

From: Stephen Smalley (sds@private)
Date: Mon Jul 26 2004 - 07:22:47 PDT

Previous message: GIANT Easley: "Ecstasy News"
In reply to: Yuan Chunyang: "a problem in hooks of sock ?!"
Next in thread: Yuan Chunyang: "Re: a problem in hooks of sock ?!"
Reply: Yuan Chunyang: "Re: a problem in hooks of sock ?!"
Reply: Stephen Smalley: "LSM BitKeeper tree obsolete? (Re: a problem in hooks of sock ?!)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Sun, 2004-07-25 at 23:30, Yuan Chunyang wrote:
> *Problem: 
>     The security domain value of new sock will be lost after sk_alloc.
> It will result in panic .
>  
> *Details:
>     In security_sk_alloc hook, security value buffer is allocated to
> new sock by kmalloc.
>     But for TCP socket, this buffer is lost when I want to free it in
> security_sk_free hook.
>     It often panic my computer .

This is a known limitation; the current sk security field is only
useable by local stream sockets, as noted in security.h.  The original
LSM patch included something equivalent to the diff below to allow use
by TCP sockets, but this was dropped when the LSM networking hooks and
security fields were rejected by the networking maintainers.  You can
certainly try to get it accepted upstream by the networking maintainers,
but I wouldn't count on it.  BTW, I'd advise working against the
mainline kernel tree, as the LSM BitKeeper tree seems dead (last updated
for 2.6.4 vs. current mainline of 2.6.8-rc2), and you'll have to re-base
anyway to submit any patches upstream due to differences in security.h
and elsewhere from legacy hooks.

Index: linux-2.6/include/linux/tcp.h
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/include/linux/tcp.h,v
retrieving revision 1.1.1.7
diff -u -r1.1.1.7 tcp.h
--- linux-2.6/include/linux/tcp.h	18 Feb 2004 13:30:08 -0000	1.1.1.7
+++ linux-2.6/include/linux/tcp.h	24 Feb 2004 16:03:53 -0000
@@ -407,4 +407,10 @@

 #endif

+static inline void clone_tcp_sk(struct sock *newsk, struct sock *sk) {
+	void *sptr = newsk->sk_security;
+	memcpy(newsk, sk, sizeof(struct tcp_sock));
+	newsk->sk_security = sptr;
+}
+
 #endif	/* _LINUX_TCP_H */
Index: linux-2.6/net/ipv4/tcp_minisocks.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/net/ipv4/tcp_minisocks.c,v
retrieving revision 1.1.1.11
diff -u -r1.1.1.11 tcp_minisocks.c
--- linux-2.6/net/ipv4/tcp_minisocks.c	24 Nov 2003 13:44:19 -0000	1.1.1.11
+++ linux-2.6/net/ipv4/tcp_minisocks.c	24 Feb 2004 16:02:15 -0000
@@ -685,7 +685,7 @@
 		struct tcp_opt *newtp;
 		struct sk_filter *filter;

-		memcpy(newsk, sk, sizeof(struct tcp_sock));
+ 		clone_tcp_sk(newsk, sk);
 		newsk->sk_state = TCP_SYN_RECV;

 		/* SANITY */

-- 
Stephen Smalley <sds@private>
National Security Agency

Previous message: GIANT Easley: "Ecstasy News"
In reply to: Yuan Chunyang: "a problem in hooks of sock ?!"
Next in thread: Yuan Chunyang: "Re: a problem in hooks of sock ?!"
Reply: Yuan Chunyang: "Re: a problem in hooks of sock ?!"
Reply: Stephen Smalley: "LSM BitKeeper tree obsolete? (Re: a problem in hooks of sock ?!)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 26 2004 - 07:23:37 PDT