On Friday, November 13, 2015 03:14:19 PM Vladis Dronov wrote:
> Any process is able to send netlink messages with invalid types.
> Make the warning rate-limited to prevent too much log spam.
>
> The warning is supposed to help to find misbehaving programs, so
> print the triggering command name and pid.
>
> Reported-by: Florian Weimer <[email protected]>
> Signed-off-by: Vladis Dronov <[email protected]>
> ---
> security/selinux/hooks.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
Applied to my selinux@next queue, with the merge window expected to close this
weekend, this patch should appear in linux-next sometime next week.
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index d0cfaa9..791fc46 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4785,11 +4785,12 @@ static int selinux_nlmsg_perm(struct sock *sk,
> struct sk_buff *skb) err = selinux_nlmsg_lookup(sksec->sclass,
> nlh->nlmsg_type, &perm); if (err) {
> if (err == -EINVAL) {
> - printk(KERN_WARNING
> - "SELinux: unrecognized netlink message:"
> - " protocol=%hu nlmsg_type=%hu sclass=%s\n",
> + pr_warn_ratelimited("SELinux: unrecognized netlink"
> + " message: protocol=%hu nlmsg_type=%hu sclass=%s"
> + " pig=%d comm=%s\n",
> sk->sk_protocol, nlh->nlmsg_type,
> - secclass_map[sksec->sclass - 1].name);
> + secclass_map[sksec->sclass - 1].name,
> + task_pid_nr(current), current->comm);
> if (!selinux_enforcing || security_get_allow_unknown())
> err = 0;
> }
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
