Re: [PATCH] scm: fold __scm_send() into scm_send()

Mon, 20 Mar 2006 13:40:10 -0800 

* Chris Wright ([EMAIL PROTECTED]) wrote:
> * Ingo Oeser ([EMAIL PROTECTED]) wrote:
> > Hi Chris,
> > 
> > Andrew Morton wrote:
> > > Ingo Oeser <[EMAIL PROTECTED]> wrote:
> > > >
> > > >  -int scm_send(struct socket *sock, struct msghdr *msg, struct 
> > > > scm_cookie *scm)
> > > >  -{
> > > >  -      struct task_struct *p = current;
> > > >  -      scm->creds = (struct ucred) {
> > > >  -              .uid = p->uid,
> > > >  -              .gid = p->gid,
> > > >  -              .pid = p->tgid
> > > >  -      };
> > > >  -      scm->fp = NULL;
> > > >  -      scm->sid = security_sk_sid(sock->sk, NULL, 0);
> > > >  -      scm->seq = 0;
> > > >  -      if (msg->msg_controllen <= 0)
> > > >  -              return 0;
> > > >  -      return __scm_send(sock, msg, scm);
> > > >  -}
> > > 
> > > It's worth noting that scm_send() will call security_sk_sid() even if
> > > (msg->msg_controllen <= 0).
> > 
> > Chris, do you know if this is needed in this case?
> 
> This whole thing is looking broken.  I'm still trying to find the original
> patch which caused the series of broken patches on top.

OK, it starts here from Catherine's patch:

include/net/scm.h::scm_recv()
+       if (test_bit(SOCK_PASSSEC, &sock->flags)) {
+               err = security_sid_to_context(scm->sid, &scontext, 
&scontext_len);
+               if (!err)
+                       put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, scontext_len, 
scontext);
+ }

Catherine, the security_sid_to_context() is a raw SELinux function which
crept into core code and should not have been there.  The fallout fixes
included conditionally exporting security_sid_to_context, and finally
scm_send/recv unlining.  The end result in -mm looks broken to me.
Specifically, it now does:

        ucred->uid = tsk->uid;
        ucred->gid = tsk->gid;
        ucred->pid = tsk->tgid;
        scm->fp = NULL;
        scm->seq = 0;
        if (msg->msg_controllen <= 0)
                return 0;

        scm->sid = security_sk_sid(sock->sk, NULL, 0);

The point of Catherine's original patch was to make sure there's always
a security identifier associated with AF_UNIX messages.  So receiver
can always check it (same as having credentials even w/out sender
control message passing them).  Now we will have garbage for sid.

thanks,
-chris
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to