SELinux Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] selinux: always return a secid from the network caches if we find one
@ 2019-08-01 21:55 Paul Moore
  2019-08-05 20:54 ` Paul Moore
  0 siblings, 1 reply; 2+ messages in thread
From: Paul Moore @ 2019-08-01 21:55 UTC (permalink / raw)
  To: selinux

Previously if we couldn't find an entry in the cache and we failed to
allocate memory for a new cache entry we would fail the network object
label lookup; this is obviously not ideal.  This patch fixes this so
that we return the object label even if we can't cache the object at
this point in time due to memory pressure.

The GitHub issue tracker is below:
 * https://github.com/SELinuxProject/selinux-kernel/issues/3

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 security/selinux/netif.c   |   31 +++++++++++++------------------
 security/selinux/netnode.c |   30 ++++++++++++++----------------
 security/selinux/netport.c |   24 +++++++++++-------------
 3 files changed, 38 insertions(+), 47 deletions(-)

diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index 8c738c189942..cbe6ec246412 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -135,9 +135,9 @@ static void sel_netif_destroy(struct sel_netif *netif)
  */
 static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid)
 {
-	int ret;
+	int ret = 0;
 	struct sel_netif *netif;
-	struct sel_netif *new = NULL;
+	struct sel_netif *new;
 	struct net_device *dev;
 
 	/* NOTE: we always use init's network namespace since we don't
@@ -154,32 +154,27 @@ static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid)
 	netif = sel_netif_find(ns, ifindex);
 	if (netif != NULL) {
 		*sid = netif->nsec.sid;
-		ret = 0;
 		goto out;
 	}
-	new = kzalloc(sizeof(*new), GFP_ATOMIC);
-	if (new == NULL) {
-		ret = -ENOMEM;
-		goto out;
-	}
-	ret = security_netif_sid(&selinux_state, dev->name, &new->nsec.sid);
-	if (ret != 0)
-		goto out;
-	new->nsec.ns = ns;
-	new->nsec.ifindex = ifindex;
-	ret = sel_netif_insert(new);
+
+	ret = security_netif_sid(&selinux_state, dev->name, sid);
 	if (ret != 0)
 		goto out;
-	*sid = new->nsec.sid;
+	new = kzalloc(sizeof(*new), GFP_ATOMIC);
+	if (new) {
+		new->nsec.ns = ns;
+		new->nsec.ifindex = ifindex;
+		new->nsec.sid = *sid;
+		if (sel_netif_insert(new))
+			kfree(new);
+	}
 
 out:
 	spin_unlock_bh(&sel_netif_lock);
 	dev_put(dev);
-	if (unlikely(ret)) {
+	if (unlikely(ret))
 		pr_warn("SELinux: failure in %s(), unable to determine network interface label (%d)\n",
 			__func__, ifindex);
-		kfree(new);
-	}
 	return ret;
 }
 
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index afa0d432436b..df590aaa33f4 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -199,9 +199,9 @@ static void sel_netnode_insert(struct sel_netnode *node)
  */
 static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
 {
-	int ret = -ENOMEM;
+	int ret;
 	struct sel_netnode *node;
-	struct sel_netnode *new = NULL;
+	struct sel_netnode *new;
 
 	spin_lock_bh(&sel_netnode_lock);
 	node = sel_netnode_find(addr, family);
@@ -210,38 +210,36 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
 		spin_unlock_bh(&sel_netnode_lock);
 		return 0;
 	}
+
 	new = kzalloc(sizeof(*new), GFP_ATOMIC);
-	if (new == NULL)
-		goto out;
 	switch (family) {
 	case PF_INET:
 		ret = security_node_sid(&selinux_state, PF_INET,
 					addr, sizeof(struct in_addr), sid);
-		new->nsec.addr.ipv4 = *(__be32 *)addr;
+		if (new)
+			new->nsec.addr.ipv4 = *(__be32 *)addr;
 		break;
 	case PF_INET6:
 		ret = security_node_sid(&selinux_state, PF_INET6,
 					addr, sizeof(struct in6_addr), sid);
-		new->nsec.addr.ipv6 = *(struct in6_addr *)addr;
+		if (new)
+			new->nsec.addr.ipv6 = *(struct in6_addr *)addr;
 		break;
 	default:
 		BUG();
 		ret = -EINVAL;
 	}
-	if (ret != 0)
-		goto out;
-
-	new->nsec.family = family;
-	new->nsec.sid = *sid;
-	sel_netnode_insert(new);
+	if (ret == 0 && new) {
+		new->nsec.family = family;
+		new->nsec.sid = *sid;
+		sel_netnode_insert(new);
+	} else
+		kfree(new);
 
-out:
 	spin_unlock_bh(&sel_netnode_lock);
-	if (unlikely(ret)) {
+	if (unlikely(ret))
 		pr_warn("SELinux: failure in %s(), unable to determine network node label\n",
 			__func__);
-		kfree(new);
-	}
 	return ret;
 }
 
diff --git a/security/selinux/netport.c b/security/selinux/netport.c
index 7a141cadbffc..936d630a938d 100644
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -147,9 +147,9 @@ static void sel_netport_insert(struct sel_netport *port)
  */
 static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid)
 {
-	int ret = -ENOMEM;
+	int ret;
 	struct sel_netport *port;
-	struct sel_netport *new = NULL;
+	struct sel_netport *new;
 
 	spin_lock_bh(&sel_netport_lock);
 	port = sel_netport_find(protocol, pnum);
@@ -158,25 +158,23 @@ static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid)
 		spin_unlock_bh(&sel_netport_lock);
 		return 0;
 	}
-	new = kzalloc(sizeof(*new), GFP_ATOMIC);
-	if (new == NULL)
-		goto out;
+
 	ret = security_port_sid(&selinux_state, protocol, pnum, sid);
 	if (ret != 0)
 		goto out;
-
-	new->psec.port = pnum;
-	new->psec.protocol = protocol;
-	new->psec.sid = *sid;
-	sel_netport_insert(new);
+	new = kzalloc(sizeof(*new), GFP_ATOMIC);
+	if (new) {
+		new->psec.port = pnum;
+		new->psec.protocol = protocol;
+		new->psec.sid = *sid;
+		sel_netport_insert(new);
+	}
 
 out:
 	spin_unlock_bh(&sel_netport_lock);
-	if (unlikely(ret)) {
+	if (unlikely(ret))
 		pr_warn("SELinux: failure in %s(), unable to determine network port label\n",
 			__func__);
-		kfree(new);
-	}
 	return ret;
 }
 


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] selinux: always return a secid from the network caches if we find one
  2019-08-01 21:55 [PATCH] selinux: always return a secid from the network caches if we find one Paul Moore
@ 2019-08-05 20:54 ` Paul Moore
  0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2019-08-05 20:54 UTC (permalink / raw)
  To: selinux

On Thu, Aug 1, 2019 at 5:55 PM Paul Moore <paul@paul-moore.com> wrote:
>
> Previously if we couldn't find an entry in the cache and we failed to
> allocate memory for a new cache entry we would fail the network object
> label lookup; this is obviously not ideal.  This patch fixes this so
> that we return the object label even if we can't cache the object at
> this point in time due to memory pressure.
>
> The GitHub issue tracker is below:
>  * https://github.com/SELinuxProject/selinux-kernel/issues/3
>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  security/selinux/netif.c   |   31 +++++++++++++------------------
>  security/selinux/netnode.c |   30 ++++++++++++++----------------
>  security/selinux/netport.c |   24 +++++++++++-------------
>  3 files changed, 38 insertions(+), 47 deletions(-)

No objections here either so I'm going to merge this into selinux/next.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-01 21:55 [PATCH] selinux: always return a secid from the network caches if we find one Paul Moore
2019-08-05 20:54 ` Paul Moore

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org selinux@archiver.kernel.org
	public-inbox-index selinux


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/ public-inbox