diff options
author | Paul Moore <paul.moore@hp.com> | 2008-01-29 08:51:16 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-01-29 16:17:30 -0500 |
commit | 71f1cb05f773661b6fa98c7a635d7a395cd9c55d (patch) | |
tree | a540f89c5d1d081ea2c09105f264adce44d92fa9 | |
parent | effad8df44261031a882e1a895415f7186a5098e (diff) |
SELinux: Add warning messages on network denial due to error
Currently network traffic can be sliently dropped due to non-avc errors which
can lead to much confusion when trying to debug the problem. This patch adds
warning messages so that when these events occur there is a user visible
notification.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/selinux/hooks.c | 29 | ||||
-rw-r--r-- | security/selinux/netif.c | 13 | ||||
-rw-r--r-- | security/selinux/netnode.c | 6 |
3 files changed, 40 insertions, 8 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b3c064744d32..81bfcf114484 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -3443,6 +3443,11 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | |||
3443 | break; | 3443 | break; |
3444 | } | 3444 | } |
3445 | 3445 | ||
3446 | if (unlikely(ret)) | ||
3447 | printk(KERN_WARNING | ||
3448 | "SELinux: failure in selinux_parse_skb()," | ||
3449 | " unable to parse packet\n"); | ||
3450 | |||
3446 | return ret; | 3451 | return ret; |
3447 | } | 3452 | } |
3448 | 3453 | ||
@@ -3463,6 +3468,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | |||
3463 | */ | 3468 | */ |
3464 | static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) | 3469 | static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) |
3465 | { | 3470 | { |
3471 | int err; | ||
3466 | u32 xfrm_sid; | 3472 | u32 xfrm_sid; |
3467 | u32 nlbl_sid; | 3473 | u32 nlbl_sid; |
3468 | u32 nlbl_type; | 3474 | u32 nlbl_type; |
@@ -3470,10 +3476,13 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) | |||
3470 | selinux_skb_xfrm_sid(skb, &xfrm_sid); | 3476 | selinux_skb_xfrm_sid(skb, &xfrm_sid); |
3471 | selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); | 3477 | selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); |
3472 | 3478 | ||
3473 | if (security_net_peersid_resolve(nlbl_sid, nlbl_type, | 3479 | err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); |
3474 | xfrm_sid, | 3480 | if (unlikely(err)) { |
3475 | sid) != 0) | 3481 | printk(KERN_WARNING |
3482 | "SELinux: failure in selinux_skb_peerlbl_sid()," | ||
3483 | " unable to determine packet's peer label\n"); | ||
3476 | return -EACCES; | 3484 | return -EACCES; |
3485 | } | ||
3477 | 3486 | ||
3478 | return 0; | 3487 | return 0; |
3479 | } | 3488 | } |
@@ -3925,8 +3934,13 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, | |||
3925 | err = security_port_sid(sk->sk_family, sk->sk_type, | 3934 | err = security_port_sid(sk->sk_family, sk->sk_type, |
3926 | sk->sk_protocol, ntohs(ad->u.net.sport), | 3935 | sk->sk_protocol, ntohs(ad->u.net.sport), |
3927 | &port_sid); | 3936 | &port_sid); |
3928 | if (err) | 3937 | if (unlikely(err)) { |
3938 | printk(KERN_WARNING | ||
3939 | "SELinux: failure in" | ||
3940 | " selinux_sock_rcv_skb_iptables_compat()," | ||
3941 | " network port label not found\n"); | ||
3929 | return err; | 3942 | return err; |
3943 | } | ||
3930 | return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); | 3944 | return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); |
3931 | } | 3945 | } |
3932 | 3946 | ||
@@ -4343,8 +4357,13 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk, | |||
4343 | err = security_port_sid(sk->sk_family, sk->sk_type, | 4357 | err = security_port_sid(sk->sk_family, sk->sk_type, |
4344 | sk->sk_protocol, ntohs(ad->u.net.dport), | 4358 | sk->sk_protocol, ntohs(ad->u.net.dport), |
4345 | &port_sid); | 4359 | &port_sid); |
4346 | if (err) | 4360 | if (unlikely(err)) { |
4361 | printk(KERN_WARNING | ||
4362 | "SELinux: failure in" | ||
4363 | " selinux_ip_postroute_iptables_compat()," | ||
4364 | " network port label not found\n"); | ||
4347 | return err; | 4365 | return err; |
4366 | } | ||
4348 | return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); | 4367 | return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); |
4349 | } | 4368 | } |
4350 | 4369 | ||
diff --git a/security/selinux/netif.c b/security/selinux/netif.c index ee49a7382875..013d3117a86b 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c | |||
@@ -157,8 +157,12 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) | |||
157 | * currently support containers */ | 157 | * currently support containers */ |
158 | 158 | ||
159 | dev = dev_get_by_index(&init_net, ifindex); | 159 | dev = dev_get_by_index(&init_net, ifindex); |
160 | if (dev == NULL) | 160 | if (unlikely(dev == NULL)) { |
161 | printk(KERN_WARNING | ||
162 | "SELinux: failure in sel_netif_sid_slow()," | ||
163 | " invalid network interface (%d)\n", ifindex); | ||
161 | return -ENOENT; | 164 | return -ENOENT; |
165 | } | ||
162 | 166 | ||
163 | spin_lock_bh(&sel_netif_lock); | 167 | spin_lock_bh(&sel_netif_lock); |
164 | netif = sel_netif_find(ifindex); | 168 | netif = sel_netif_find(ifindex); |
@@ -184,8 +188,13 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) | |||
184 | out: | 188 | out: |
185 | spin_unlock_bh(&sel_netif_lock); | 189 | spin_unlock_bh(&sel_netif_lock); |
186 | dev_put(dev); | 190 | dev_put(dev); |
187 | if (ret != 0) | 191 | if (unlikely(ret)) { |
192 | printk(KERN_WARNING | ||
193 | "SELinux: failure in sel_netif_sid_slow()," | ||
194 | " unable to determine network interface label (%d)\n", | ||
195 | ifindex); | ||
188 | kfree(new); | 196 | kfree(new); |
197 | } | ||
189 | return ret; | 198 | return ret; |
190 | } | 199 | } |
191 | 200 | ||
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index 49c527799240..f3c526f2cacb 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c | |||
@@ -264,8 +264,12 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid) | |||
264 | 264 | ||
265 | out: | 265 | out: |
266 | spin_unlock_bh(&sel_netnode_lock); | 266 | spin_unlock_bh(&sel_netnode_lock); |
267 | if (ret != 0) | 267 | if (unlikely(ret)) { |
268 | printk(KERN_WARNING | ||
269 | "SELinux: failure in sel_netnode_sid_slow()," | ||
270 | " unable to determine network node label\n"); | ||
268 | kfree(new); | 271 | kfree(new); |
272 | } | ||
269 | return ret; | 273 | return ret; |
270 | } | 274 | } |
271 | 275 | ||