Developers mailing list for the security enhanced linux project ()

James Morris | 1 Oct 2008 03:43

Re: [RFC PATCH v6 04/16] selinux: Better local/forward check in selinux_ip_postroute()

On Tue, 16 Sep 2008, Paul Moore wrote:

> It turns out that checking to see if skb->sk is NULL is not a very good
> indicator of a forwarded packet as some locally generated packets also have
> skb->sk set to NULL.  Fix this by not only checking the skb->sk field but also
> the IP[6]CB(skb)->flags field for the IP[6]SKB_FORWARDED flag.  While we are
> at it, we are calling selinux_parse_skb() much earlier than we really should
> resulting in potentially wasted cycles parsing packets for information we
> might no use; so shuffle the code around a bit to fix this.
> 
> Signed-off-by: Paul Moore <paul.moore <at> hp.com>

Acked-by: James Morris <jmorris <at> namei.org>

(Wow, this code is getting complex... 

--

-- 
James Morris
<jmorris <at> namei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

headers

Paul Moore | 1 Oct 2008 18:41

Re: [RFC PATCH v6 04/16] selinux: Better local/forward check in selinux_ip_postroute()

On Tuesday 30 September 2008 9:43:12 pm James Morris wrote:
> On Tue, 16 Sep 2008, Paul Moore wrote:
> > It turns out that checking to see if skb->sk is NULL is not a very
> > good indicator of a forwarded packet as some locally generated
> > packets also have skb->sk set to NULL.  Fix this by not only
> > checking the skb->sk field but also the IP[6]CB(skb)->flags field
> > for the IP[6]SKB_FORWARDED flag.  While we are at it, we are
> > calling selinux_parse_skb() much earlier than we really should
> > resulting in potentially wasted cycles parsing packets for
> > information we might no use; so shuffle the code around a bit to
> > fix this.
> >
> > Signed-off-by: Paul Moore <paul.moore <at> hp.com>
>
> Acked-by: James Morris <jmorris <at> namei.org>
>
> (Wow, this code is getting complex... 

Yeah, it is pretty surprising too (at least to me anyway).  I beginning 
to think our common case is the existence of corner cases :)

--

-- 
paul moore
linux  <at>  hp
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

(Continue reading)