* [PATCH] remove __sk_filter
@ 2003-04-14 5:54 Chris Wright
2003-04-14 14:48 ` James Morris
0 siblings, 1 reply; 3+ messages in thread
From: Chris Wright @ 2003-04-14 5:54 UTC (permalink / raw)
To: James Morris; +Cc: linux-kernel
Now that CONFIG_FILTER was nuked, the __sk_filter helper can be collapsed
back into sk_filter. This eliminates bypassing the security hook by
using the wrong part of the api.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
===== include/net/sock.h 1.34 vs edited =====
--- 1.34/include/net/sock.h Sun Mar 30 01:45:41 2003
+++ edited/include/net/sock.h Sun Apr 13 22:45:21 2003
@@ -453,7 +453,7 @@
extern void sock_init_data(struct socket *sock, struct sock *sk);
/**
- * __sk_filter - run a packet through a socket filter
+ * sk_filter - run a packet through a socket filter
* @sk: sock associated with &sk_buff
* @skb: buffer to filter
* @needlock: set to 1 if the sock is not locked by caller.
@@ -464,14 +464,16 @@
* wrapper to sk_run_filter. It returns 0 if the packet should
* be accepted or -EPERM if the packet should be tossed.
*
- * This function should not be called directly, use sk_filter instead
- * to ensure that the LSM security check is also performed.
*/
-static inline int __sk_filter(struct sock *sk, struct sk_buff *skb, int needlock)
+static inline int sk_filter(struct sock *sk, struct sk_buff *skb, int needlock)
{
- int err = 0;
-
+ int err;
+
+ err = security_sock_rcv_skb(sk, skb);
+ if (err)
+ return err;
+
if (sk->filter) {
struct sk_filter *filter;
@@ -516,17 +518,6 @@
{
atomic_inc(&fp->refcnt);
atomic_add(sk_filter_len(fp), &sk->omem_alloc);
-}
-
-static inline int sk_filter(struct sock *sk, struct sk_buff *skb, int needlock)
-{
- int err;
-
- err = security_sock_rcv_skb(sk, skb);
- if (err)
- return err;
-
- return __sk_filter(sk, skb, needlock);
}
/*
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] remove __sk_filter
2003-04-14 14:48 ` James Morris
@ 2003-04-14 14:44 ` David S. Miller
0 siblings, 0 replies; 3+ messages in thread
From: David S. Miller @ 2003-04-14 14:44 UTC (permalink / raw)
To: jmorris; +Cc: chris, linux-kernel
From: James Morris <jmorris@intercode.com.au>
Date: Tue, 15 Apr 2003 00:48:17 +1000 (EST)
On Sun, 13 Apr 2003, Chris Wright wrote:
> Now that CONFIG_FILTER was nuked, the __sk_filter helper can be collapsed
> back into sk_filter. This eliminates bypassing the security hook by
> using the wrong part of the api.
Good thinking, thanks.
Applied, thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] remove __sk_filter
2003-04-14 5:54 [PATCH] remove __sk_filter Chris Wright
@ 2003-04-14 14:48 ` James Morris
2003-04-14 14:44 ` David S. Miller
0 siblings, 1 reply; 3+ messages in thread
From: James Morris @ 2003-04-14 14:48 UTC (permalink / raw)
To: Chris Wright; +Cc: linux-kernel, David S. Miller
On Sun, 13 Apr 2003, Chris Wright wrote:
> Now that CONFIG_FILTER was nuked, the __sk_filter helper can be collapsed
> back into sk_filter. This eliminates bypassing the security hook by
> using the wrong part of the api.
Good thinking, thanks.
- James
--
James Morris
<jmorris@intercode.com.au>
Chris' patch below.
===== include/net/sock.h 1.34 vs edited =====
--- 1.34/include/net/sock.h Sun Mar 30 01:45:41 2003
+++ edited/include/net/sock.h Sun Apr 13 22:45:21 2003
@@ -453,7 +453,7 @@
extern void sock_init_data(struct socket *sock, struct sock *sk);
/**
- * __sk_filter - run a packet through a socket filter
+ * sk_filter - run a packet through a socket filter
* @sk: sock associated with &sk_buff
* @skb: buffer to filter
* @needlock: set to 1 if the sock is not locked by caller.
@@ -464,14 +464,16 @@
* wrapper to sk_run_filter. It returns 0 if the packet should
* be accepted or -EPERM if the packet should be tossed.
*
- * This function should not be called directly, use sk_filter instead
- * to ensure that the LSM security check is also performed.
*/
-static inline int __sk_filter(struct sock *sk, struct sk_buff *skb, int needlock)
+static inline int sk_filter(struct sock *sk, struct sk_buff *skb, int needlock)
{
- int err = 0;
-
+ int err;
+
+ err = security_sock_rcv_skb(sk, skb);
+ if (err)
+ return err;
+
if (sk->filter) {
struct sk_filter *filter;
@@ -516,17 +518,6 @@
{
atomic_inc(&fp->refcnt);
atomic_add(sk_filter_len(fp), &sk->omem_alloc);
-}
-
-static inline int sk_filter(struct sock *sk, struct sk_buff *skb, int needlock)
-{
- int err;
-
- err = security_sock_rcv_skb(sk, skb);
- if (err)
- return err;
-
- return __sk_filter(sk, skb, needlock);
}
/*
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-04-14 14:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-04-14 5:54 [PATCH] remove __sk_filter Chris Wright
2003-04-14 14:48 ` James Morris
2003-04-14 14:44 ` David S. Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).