* Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP connections [not found] <3f8328fe-e648-9d0e-729d-eb6787f11bf9.ref@schaufler-ca.com> @ 2021-03-30 15:42 ` Casey Schaufler 2021-03-31 2:44 ` 刘亚灿 0 siblings, 1 reply; 3+ messages in thread From: Casey Schaufler @ 2021-03-30 15:42 UTC (permalink / raw) To: liuyacan, David S. Miller, LKML, Linux Security Module list Cc: Casey Schaufler, smack-announce Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab 'net: correct sk_acceptq_is_full()' breaks a system with the Smack LSM. Reverting this change results in a return to correct behavior. The Smack testsuite can be found at: https://github.com/smack-team/smack-testsuite.git The failing test is ipv4-tcp-local-peersec.sh, but it seems that most TCP connections hang with SYN_SENT. Oddly, ssh to 127.0.0.1 works, but other TCP connections timeout. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re:Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP connections 2021-03-30 15:42 ` Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP connections Casey Schaufler @ 2021-03-31 2:44 ` 刘亚灿 2021-03-31 15:40 ` Commit " Casey Schaufler 0 siblings, 1 reply; 3+ messages in thread From: 刘亚灿 @ 2021-03-31 2:44 UTC (permalink / raw) To: Casey Schaufler; +Cc: David S. Miller, LKML, Linux Security Module list Hi Casev: A quote from the listen(2) man page on my Ubuntu system: The backlog argument defines the maximum length to which the queue of pending connections for sockfd may grow. I think this implies that the 'backlog' must be greater than zero. In the test source file (tools/smack-ipv4-tcp-peersec.c) Line 60 I found the following code: if (listen(firstsock, 0) < 0) { printf("%s-listen\n", argv[0]); exit(1); } That means that sock will not accept any requests, so client TCP connections hang with SYN_SENT. In openssh case, it use SSH_LISTEN_BACKLOG as 128. At 2021-03-30 23:42:04, "Casey Schaufler" <casey@schaufler-ca.com> wrote: >Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab 'net: correct >sk_acceptq_is_full()' breaks a system with the Smack LSM. >Reverting this change results in a return to correct behavior. > >The Smack testsuite can be found at: > https://github.com/smack-team/smack-testsuite.git > >The failing test is ipv4-tcp-local-peersec.sh, but it seems >that most TCP connections hang with SYN_SENT. Oddly, ssh >to 127.0.0.1 works, but other TCP connections timeout. > > > > ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP connections 2021-03-31 2:44 ` 刘亚灿 @ 2021-03-31 15:40 ` Casey Schaufler 0 siblings, 0 replies; 3+ messages in thread From: Casey Schaufler @ 2021-03-31 15:40 UTC (permalink / raw) To: 刘亚灿 Cc: David S. Miller, LKML, Linux Security Module list, Casey Schaufler On 3/30/2021 7:44 PM, 刘亚灿 wrote: > Hi Casev: > > A quote from the listen(2) man page on my Ubuntu system: > The backlog argument defines the maximum length to which > the queue of pending connections for sockfd may grow. > I think this implies that the 'backlog' must be greater than zero. > In the test source file (tools/smack-ipv4-tcp-peersec.c) Line 60 > I found the following code: > if (listen(firstsock, 0) < 0) { > printf("%s-listen\n", argv[0]); > exit(1); > } > That means that sock will not accept any requests, > so client TCP connections hang with SYN_SENT. Interesting. Prior to this change the code above was accepting connections. I also tried code that uses a backlog of 0 on a system without an LSM and discovered the same behavior. That is, it accepted connections with a 0 backlog before the change, and hangs after. Is this a bug fix? > In openssh case, it use SSH_LISTEN_BACKLOG as 128. > > At 2021-03-30 23:42:04, "Casey Schaufler" <casey@schaufler-ca.com> wrote: >> Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab 'net: correct >> sk_acceptq_is_full()' breaks a system with the Smack LSM. >> Reverting this change results in a return to correct behavior. >> >> The Smack testsuite can be found at: >> https://github.com/smack-team/smack-testsuite.git >> >> The failing test is ipv4-tcp-local-peersec.sh, but it seems >> that most TCP connections hang with SYN_SENT. Oddly, ssh >> to 127.0.0.1 works, but other TCP connections timeout. >> >> >> >> > > > > > > ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-31 15:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <3f8328fe-e648-9d0e-729d-eb6787f11bf9.ref@schaufler-ca.com>
2021-03-30 15:42 ` Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP connections Casey Schaufler
2021-03-31 2:44 ` 刘亚灿
2021-03-31 15:40 ` Commit " Casey Schaufler
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).