* Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP connections
[not found] <3f8328fe-e648-9d0e-729d-eb6787f11bf9.ref@schaufler-ca.com>
@ 2021-03-30 15:42 ` Casey Schaufler
2021-03-31 2:44 ` 刘亚灿
0 siblings, 1 reply; 3+ messages in thread
From: Casey Schaufler @ 2021-03-30 15:42 UTC (permalink / raw)
To: liuyacan, David S. Miller, LKML, Linux Security Module list
Cc: Casey Schaufler, smack-announce
Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab 'net: correct
sk_acceptq_is_full()' breaks a system with the Smack LSM.
Reverting this change results in a return to correct behavior.
The Smack testsuite can be found at:
https://github.com/smack-team/smack-testsuite.git
The failing test is ipv4-tcp-local-peersec.sh, but it seems
that most TCP connections hang with SYN_SENT. Oddly, ssh
to 127.0.0.1 works, but other TCP connections timeout.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re:Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP connections
2021-03-30 15:42 ` Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP connections Casey Schaufler
@ 2021-03-31 2:44 ` 刘亚灿
2021-03-31 15:40 ` Commit " Casey Schaufler
0 siblings, 1 reply; 3+ messages in thread
From: 刘亚灿 @ 2021-03-31 2:44 UTC (permalink / raw)
To: Casey Schaufler; +Cc: David S. Miller, LKML, Linux Security Module list
Hi Casev:
A quote from the listen(2) man page on my Ubuntu system:
The backlog argument defines the maximum length to which
the queue of pending connections for sockfd may grow.
I think this implies that the 'backlog' must be greater than zero.
In the test source file (tools/smack-ipv4-tcp-peersec.c) Line 60
I found the following code:
if (listen(firstsock, 0) < 0) {
printf("%s-listen\n", argv[0]);
exit(1);
}
That means that sock will not accept any requests,
so client TCP connections hang with SYN_SENT.
In openssh case, it use SSH_LISTEN_BACKLOG as 128.
At 2021-03-30 23:42:04, "Casey Schaufler" <casey@schaufler-ca.com> wrote:
>Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab 'net: correct
>sk_acceptq_is_full()' breaks a system with the Smack LSM.
>Reverting this change results in a return to correct behavior.
>
>The Smack testsuite can be found at:
> https://github.com/smack-team/smack-testsuite.git
>
>The failing test is ipv4-tcp-local-peersec.sh, but it seems
>that most TCP connections hang with SYN_SENT. Oddly, ssh
>to 127.0.0.1 works, but other TCP connections timeout.
>
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP connections
2021-03-31 2:44 ` 刘亚灿
@ 2021-03-31 15:40 ` Casey Schaufler
0 siblings, 0 replies; 3+ messages in thread
From: Casey Schaufler @ 2021-03-31 15:40 UTC (permalink / raw)
To: 刘亚灿
Cc: David S. Miller, LKML, Linux Security Module list, Casey Schaufler
On 3/30/2021 7:44 PM, 刘亚灿 wrote:
> Hi Casev:
>
> A quote from the listen(2) man page on my Ubuntu system:
> The backlog argument defines the maximum length to which
> the queue of pending connections for sockfd may grow.
> I think this implies that the 'backlog' must be greater than zero.
> In the test source file (tools/smack-ipv4-tcp-peersec.c) Line 60
> I found the following code:
> if (listen(firstsock, 0) < 0) {
> printf("%s-listen\n", argv[0]);
> exit(1);
> }
> That means that sock will not accept any requests,
> so client TCP connections hang with SYN_SENT.
Interesting. Prior to this change the code above was
accepting connections. I also tried code that uses a
backlog of 0 on a system without an LSM and discovered
the same behavior. That is, it accepted connections
with a 0 backlog before the change, and hangs after.
Is this a bug fix?
> In openssh case, it use SSH_LISTEN_BACKLOG as 128.
>
> At 2021-03-30 23:42:04, "Casey Schaufler" <casey@schaufler-ca.com> wrote:
>> Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab 'net: correct
>> sk_acceptq_is_full()' breaks a system with the Smack LSM.
>> Reverting this change results in a return to correct behavior.
>>
>> The Smack testsuite can be found at:
>> https://github.com/smack-team/smack-testsuite.git
>>
>> The failing test is ipv4-tcp-local-peersec.sh, but it seems
>> that most TCP connections hang with SYN_SENT. Oddly, ssh
>> to 127.0.0.1 works, but other TCP connections timeout.
>>
>>
>>
>>
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-31 15:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <3f8328fe-e648-9d0e-729d-eb6787f11bf9.ref@schaufler-ca.com>
2021-03-30 15:42 ` Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP connections Casey Schaufler
2021-03-31 2:44 ` 刘亚灿
2021-03-31 15:40 ` Commit " Casey Schaufler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).