From: Richard Guy Briggs <rgb@redhat.com>
To: David Miller <davem@davemloft.net>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
eparis@redhat.com, sgrubb@redhat.com, hadi@mojatatu.com
Subject: Re: [PATCH] netlink: have netlink per-protocol bind function return an error code.
Date: Mon, 24 Mar 2014 10:38:43 -0400 [thread overview]
Message-ID: <20140324143843.GC28666@madcap2.tricolour.ca> (raw)
In-Reply-To: <20140323.005010.1898428719601246326.davem@davemloft.net>
On 14/03/23, David Miller wrote:
> From: Richard Guy Briggs <rgb@redhat.com>
> Date: Fri, 21 Mar 2014 12:39:11 -0400
>
> > @@ -1441,6 +1441,17 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
> > if (!nladdr->nl_groups && (nlk->groups == NULL || !(u32)nlk->groups[0]))
> > return 0;
> >
> > + if (nlk->netlink_bind && nladdr->nl_groups) {
> > + int i;
> > +
> > + for (i = 0; i < nlk->ngroups; i++)
> > + if (test_bit(i, (long unsigned int *)&nladdr->nl_groups)) {
> > + err = nlk->netlink_bind(i);
> > + if (err)
> > + return err;
> > + }
> > + }
> > +
>
> You can't just leave a partially set of completed bindings in place.
In the general case, I agree.
> It's not valid to leave half-baked state like this.
In the one existing case (netfilter), it adds a module that is never
unloaded. (refcounts are bumped up and down, but I don't see an
auto-reap based on cleared multicast group subscriptions.) For that
matter, netlink_realloc_groups() isn't reversed on error either.
In the proposed case (audit) it is only a permissions check, so there is
nothing to undo.
So, I was being lazy looking at the existing situation.
> If you return an error, all of the binding state changes must be
> completely undone.
Is it time to add a ".unbind = netlink_unbind" to struct proto_ops
netlink_ops? (I am only half serious here...)
> If you can't find a way to do this cleanly, you'll need to find
> a way for the audit code to not return an error.
Fair enough. I'll go back and look at updating subscriptions and
listeners first and undoing those actions if the bind fails. In the
case of netlink_setsockopt() it is just one to undo, which is easy.
netlink_bind() is a bit more complex, but doable.
The whole purpose here was to add a way for each protocol to be able to
add its own permissions check and signal a way for netlink to refuse the
subscription if the userspace process doesn't have the required
permissions, so not returning an error defeats that whole purpose.
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
next prev parent reply other threads:[~2014-03-24 14:38 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-21 16:39 [PATCH] netlink: have netlink per-protocol bind function return an error code Richard Guy Briggs
2014-03-23 4:50 ` David Miller
2014-03-24 14:38 ` Richard Guy Briggs [this message]
2014-03-24 18:34 ` Richard Guy Briggs
2014-03-24 18:35 ` [PATCH][v3] " Richard Guy Briggs
2014-03-24 19:37 ` [PATCH][v4] " Richard Guy Briggs
2014-03-24 20:59 ` [PATCH][v5] " Richard Guy Briggs
2014-03-26 19:52 ` David Miller
2014-03-26 20:09 ` v6 superceded it [was: Re: [PATCH][v5] netlink: have netlink per-protocol bind function return an error code.] Richard Guy Briggs
2014-03-25 12:50 ` [PATCH][v6] netlink: have netlink per-protocol bind function return an error code Richard Guy Briggs
2014-03-26 20:46 ` David Miller
2014-03-26 23:13 ` Patrick McHardy
2014-03-25 13:11 ` unbind [was: Re: [PATCH] netlink: have netlink per-protocol bind function return] " Richard Guy Briggs
2014-04-01 14:14 ` [PATCH 0/3] netlink: per-protocol bind fixup/enhancement set Richard Guy Briggs
2014-04-01 14:14 ` [PATCH 1/3] netlink: simplify nfnetlink_bind Richard Guy Briggs
2014-04-01 14:14 ` [PATCH 2/3][v7] netlink: have netlink per-protocol bind function return an error code Richard Guy Briggs
2014-04-01 14:14 ` [PATCH 3/3] netlink: implement unbind to netlink_setsockopt NETLINK_DROP_MEMBERSHIP Richard Guy Briggs
2014-04-01 21:33 ` [PATCH 0/3] netlink: per-protocol bind fixup/enhancement set David Miller
2014-04-01 22:12 ` Richard Guy Briggs
2014-04-01 22:21 ` David Miller
2014-04-18 17:34 ` [PATCH 0/6] audit: implement multicast socket for journald Richard Guy Briggs
2014-04-18 17:34 ` [PATCH 1/6] netlink: simplify nfnetlink_bind Richard Guy Briggs
2014-04-18 17:34 ` [PATCH 2/6] netlink: have netlink per-protocol bind function return an error code Richard Guy Briggs
2014-04-22 20:19 ` David Miller
2014-04-23 1:30 ` Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 0/6][v2] audit: implement multicast socket for journald Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 1/6][v2] netlink: simplify nfnetlink_bind Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 2/6][v2] netlink: have netlink per-protocol bind function return an error code Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 3/6][v2] netlink: implement unbind to netlink_setsockopt NETLINK_DROP_MEMBERSHIP Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 4/6][v2] audit: add netlink audit protocol bind to check capabilities on multicast join Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 5/6][v2] audit: add netlink multicast group for log read Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 6/6][v2] audit: send multicast messages only if there are listeners Richard Guy Briggs
2014-04-23 1:43 ` [PATCH 0/6][v2] audit: implement multicast socket for journald David Miller
2014-04-23 1:49 ` Richard Guy Briggs
2014-04-23 3:55 ` David Miller
2014-04-23 2:25 ` Steve Grubb
2014-04-23 3:57 ` Eric Paris
2014-04-23 13:40 ` Daniel J Walsh
2014-04-23 14:42 ` Eric Paris
2014-04-23 15:36 ` Daniel J Walsh
2014-04-23 15:37 ` Eric Paris
2014-04-23 15:52 ` Daniel J Walsh
2014-04-24 13:22 ` Eric Paris
2014-04-24 14:59 ` Daniel J Walsh
2014-04-24 15:03 ` Eric Paris
2014-04-24 16:03 ` Daniel J Walsh
2014-04-18 17:34 ` [PATCH 3/6] netlink: implement unbind to netlink_setsockopt NETLINK_DROP_MEMBERSHIP Richard Guy Briggs
2014-04-18 17:34 ` [PATCH 4/6] audit: add netlink audit protocol bind to check capabilities on multicast join Richard Guy Briggs
2014-04-18 17:34 ` [PATCH 5/6] audit: add netlink multicast group for log read Richard Guy Briggs
2014-04-18 17:34 ` [PATCH 6/6] audit: send multicast messages only if there are listeners Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140324143843.GC28666@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=davem@davemloft.net \
--cc=eparis@redhat.com \
--cc=hadi@mojatatu.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).