* [PATCH 2/2] selinux: use netlink_receive hook
@ 2019-08-21 13:46 Jeff Vander Stoep
2019-08-23 1:44 ` kbuild test robot
2019-08-23 1:54 ` kbuild test robot
0 siblings, 2 replies; 3+ messages in thread
From: Jeff Vander Stoep @ 2019-08-21 13:46 UTC (permalink / raw)
To: netdev, linux-security-module, selinux; +Cc: Jeff Vander Stoep
Add the nlmsg_readpriv permission to netlink_route socket class.
Currently this is only used to restrict MAC address access.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
security/selinux/hooks.c | 6 ++++++
security/selinux/include/classmap.h | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 74dd46de01b6..2ab89a73f663 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5825,6 +5825,11 @@ static unsigned int selinux_ipv6_postroute(void *priv,
#endif /* CONFIG_NETFILTER */
+static int selinux_netlink_receive(struct sock *sk, struct sk_buff *skb)
+{
+ return sock_has_perm(current, sk, NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
+}
+
static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
{
return selinux_nlmsg_perm(sk, skb);
@@ -6765,6 +6770,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(syslog, selinux_syslog),
LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
+ LSM_HOOK_INIT(netlink_receive, selinux_netlink_receive),
LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 201f7e588a29..3726c61a3dd1 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -115,7 +115,7 @@ struct security_class_mapping secclass_map[] = {
{ COMMON_IPC_PERMS, NULL } },
{ "netlink_route_socket",
{ COMMON_SOCK_PERMS,
- "nlmsg_read", "nlmsg_write", NULL } },
+ "nlmsg_read", "nlmsg_write", "nlmsg_readpriv", NULL } },
{ "netlink_tcpdiag_socket",
{ COMMON_SOCK_PERMS,
"nlmsg_read", "nlmsg_write", NULL } },
--
2.23.0.rc1.153.gdeed80330f-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 2/2] selinux: use netlink_receive hook
2019-08-21 13:46 [PATCH 2/2] selinux: use netlink_receive hook Jeff Vander Stoep
@ 2019-08-23 1:44 ` kbuild test robot
2019-08-23 1:54 ` kbuild test robot
1 sibling, 0 replies; 3+ messages in thread
From: kbuild test robot @ 2019-08-23 1:44 UTC (permalink / raw)
To: Jeff Vander Stoep
Cc: kbuild-all, netdev, linux-security-module, selinux, Jeff Vander Stoep
[-- Attachment #1: Type: text/plain, Size: 3117 bytes --]
Hi Jeff,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on linus/master]
[cannot apply to v5.3-rc5 next-20190822]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Jeff-Vander-Stoep/rtnetlink-gate-MAC-address-with-an-LSM-hook/20190823-071253
config: i386-defconfig (attached as .config)
compiler: gcc-7 (Debian 7.4.0-10) 7.4.0
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
All error/warnings (new ones prefixed by >>):
In file included from include/linux/sched.h:12:0,
from include/linux/tracehook.h:46,
from security/selinux/hooks.c:27:
security/selinux/hooks.c: In function 'selinux_netlink_receive':
>> arch/x86/include/asm/current.h:18:17: error: passing argument 1 of 'sock_has_perm' from incompatible pointer type [-Werror=incompatible-pointer-types]
#define current get_current()
^
>> security/selinux/hooks.c:5830:23: note: in expansion of macro 'current'
return sock_has_perm(current, sk, NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
^~~~~~~
security/selinux/hooks.c:4422:12: note: expected 'struct sock *' but argument is of type 'struct task_struct *'
static int sock_has_perm(struct sock *sk, u32 perms)
^~~~~~~~~~~~~
>> security/selinux/hooks.c:5830:32: warning: passing argument 2 of 'sock_has_perm' makes integer from pointer without a cast [-Wint-conversion]
return sock_has_perm(current, sk, NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
^~
security/selinux/hooks.c:4422:12: note: expected 'u32 {aka unsigned int}' but argument is of type 'struct sock *'
static int sock_has_perm(struct sock *sk, u32 perms)
^~~~~~~~~~~~~
>> security/selinux/hooks.c:5830:9: error: too many arguments to function 'sock_has_perm'
return sock_has_perm(current, sk, NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
^~~~~~~~~~~~~
security/selinux/hooks.c:4422:12: note: declared here
static int sock_has_perm(struct sock *sk, u32 perms)
^~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/sock_has_perm +18 arch/x86/include/asm/current.h
f0766440dda7ac include/asm-x86/current.h Christoph Lameter 2008-05-09 17
c6f5e0acd5d12e arch/x86/include/asm/current.h Brian Gerst 2009-01-19 @18 #define current get_current()
f0766440dda7ac include/asm-x86/current.h Christoph Lameter 2008-05-09 19
:::::: The code at line 18 was first introduced by commit
:::::: c6f5e0acd5d12ee23f701f15889872e67b47caa6 x86-64: Move current task from PDA to per-cpu and consolidate with 32-bit.
:::::: TO: Brian Gerst <brgerst@gmail.com>
:::::: CC: Tejun Heo <tj@kernel.org>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 28074 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 2/2] selinux: use netlink_receive hook
2019-08-21 13:46 [PATCH 2/2] selinux: use netlink_receive hook Jeff Vander Stoep
2019-08-23 1:44 ` kbuild test robot
@ 2019-08-23 1:54 ` kbuild test robot
1 sibling, 0 replies; 3+ messages in thread
From: kbuild test robot @ 2019-08-23 1:54 UTC (permalink / raw)
To: Jeff Vander Stoep
Cc: kbuild-all, netdev, linux-security-module, selinux, Jeff Vander Stoep
[-- Attachment #1: Type: text/plain, Size: 3307 bytes --]
Hi Jeff,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on linus/master]
[cannot apply to v5.3-rc5 next-20190822]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Jeff-Vander-Stoep/rtnetlink-gate-MAC-address-with-an-LSM-hook/20190823-071253
config: s390-debug_defconfig (attached as .config)
compiler: s390-linux-gcc (GCC) 7.4.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
GCC_VERSION=7.4.0 make.cross ARCH=s390
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
In file included from include/linux/sched.h:12:0,
from include/linux/tracehook.h:46,
from security/selinux/hooks.c:27:
security/selinux/hooks.c: In function 'selinux_netlink_receive':
>> arch/s390/include/asm/current.h:17:17: error: passing argument 1 of 'sock_has_perm' from incompatible pointer type [-Werror=incompatible-pointer-types]
#define current ((struct task_struct *const)S390_lowcore.current_task)
^
security/selinux/hooks.c:5830:23: note: in expansion of macro 'current'
return sock_has_perm(current, sk, NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
^~~~~~~
security/selinux/hooks.c:4422:12: note: expected 'struct sock *' but argument is of type 'struct task_struct *'
static int sock_has_perm(struct sock *sk, u32 perms)
^~~~~~~~~~~~~
security/selinux/hooks.c:5830:32: warning: passing argument 2 of 'sock_has_perm' makes integer from pointer without a cast [-Wint-conversion]
return sock_has_perm(current, sk, NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
^~
security/selinux/hooks.c:4422:12: note: expected 'u32 {aka unsigned int}' but argument is of type 'struct sock *'
static int sock_has_perm(struct sock *sk, u32 perms)
^~~~~~~~~~~~~
security/selinux/hooks.c:5830:9: error: too many arguments to function 'sock_has_perm'
return sock_has_perm(current, sk, NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
^~~~~~~~~~~~~
security/selinux/hooks.c:4422:12: note: declared here
static int sock_has_perm(struct sock *sk, u32 perms)
^~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/sock_has_perm +17 arch/s390/include/asm/current.h
^1da177e4c3f41 include/asm-s390/current.h Linus Torvalds 2005-04-16 16
^1da177e4c3f41 include/asm-s390/current.h Linus Torvalds 2005-04-16 @17 #define current ((struct task_struct *const)S390_lowcore.current_task)
^1da177e4c3f41 include/asm-s390/current.h Linus Torvalds 2005-04-16 18
:::::: The code at line 17 was first introduced by commit
:::::: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Linux-2.6.12-rc2
:::::: TO: Linus Torvalds <torvalds@ppc970.osdl.org>
:::::: CC: Linus Torvalds <torvalds@ppc970.osdl.org>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 20136 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-08-23 1:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-21 13:46 [PATCH 2/2] selinux: use netlink_receive hook Jeff Vander Stoep
2019-08-23 1:44 ` kbuild test robot
2019-08-23 1:54 ` kbuild test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).