aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-01-29 08:51:16 -0500
committerJames Morris <jmorris@namei.org>2008-01-29 16:17:30 -0500
commit71f1cb05f773661b6fa98c7a635d7a395cd9c55d (patch)
treea540f89c5d1d081ea2c09105f264adce44d92fa9
parenteffad8df44261031a882e1a895415f7186a5098e (diff)
SELinux: Add warning messages on network denial due to error
Currently network traffic can be sliently dropped due to non-avc errors which can lead to much confusion when trying to debug the problem. This patch adds warning messages so that when these events occur there is a user visible notification. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/selinux/hooks.c29
-rw-r--r--security/selinux/netif.c13
-rw-r--r--security/selinux/netnode.c6
3 files changed, 40 insertions, 8 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b3c064744d32..81bfcf114484 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3443,6 +3443,11 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3443 break; 3443 break;
3444 } 3444 }
3445 3445
3446 if (unlikely(ret))
3447 printk(KERN_WARNING
3448 "SELinux: failure in selinux_parse_skb(),"
3449 " unable to parse packet\n");
3450
3446 return ret; 3451 return ret;
3447} 3452}
3448 3453
@@ -3463,6 +3468,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3463 */ 3468 */
3464static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 3469static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3465{ 3470{
3471 int err;
3466 u32 xfrm_sid; 3472 u32 xfrm_sid;
3467 u32 nlbl_sid; 3473 u32 nlbl_sid;
3468 u32 nlbl_type; 3474 u32 nlbl_type;
@@ -3470,10 +3476,13 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3470 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3476 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3471 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3477 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3472 3478
3473 if (security_net_peersid_resolve(nlbl_sid, nlbl_type, 3479 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3474 xfrm_sid, 3480 if (unlikely(err)) {
3475 sid) != 0) 3481 printk(KERN_WARNING
3482 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3483 " unable to determine packet's peer label\n");
3476 return -EACCES; 3484 return -EACCES;
3485 }
3477 3486
3478 return 0; 3487 return 0;
3479} 3488}
@@ -3925,8 +3934,13 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3925 err = security_port_sid(sk->sk_family, sk->sk_type, 3934 err = security_port_sid(sk->sk_family, sk->sk_type,
3926 sk->sk_protocol, ntohs(ad->u.net.sport), 3935 sk->sk_protocol, ntohs(ad->u.net.sport),
3927 &port_sid); 3936 &port_sid);
3928 if (err) 3937 if (unlikely(err)) {
3938 printk(KERN_WARNING
3939 "SELinux: failure in"
3940 " selinux_sock_rcv_skb_iptables_compat(),"
3941 " network port label not found\n");
3929 return err; 3942 return err;
3943 }
3930 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); 3944 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3931} 3945}
3932 3946
@@ -4343,8 +4357,13 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4343 err = security_port_sid(sk->sk_family, sk->sk_type, 4357 err = security_port_sid(sk->sk_family, sk->sk_type,
4344 sk->sk_protocol, ntohs(ad->u.net.dport), 4358 sk->sk_protocol, ntohs(ad->u.net.dport),
4345 &port_sid); 4359 &port_sid);
4346 if (err) 4360 if (unlikely(err)) {
4361 printk(KERN_WARNING
4362 "SELinux: failure in"
4363 " selinux_ip_postroute_iptables_compat(),"
4364 " network port label not found\n");
4347 return err; 4365 return err;
4366 }
4348 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); 4367 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4349} 4368}
4350 4369
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index ee49a7382875..013d3117a86b 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -157,8 +157,12 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
157 * currently support containers */ 157 * currently support containers */
158 158
159 dev = dev_get_by_index(&init_net, ifindex); 159 dev = dev_get_by_index(&init_net, ifindex);
160 if (dev == NULL) 160 if (unlikely(dev == NULL)) {
161 printk(KERN_WARNING
162 "SELinux: failure in sel_netif_sid_slow(),"
163 " invalid network interface (%d)\n", ifindex);
161 return -ENOENT; 164 return -ENOENT;
165 }
162 166
163 spin_lock_bh(&sel_netif_lock); 167 spin_lock_bh(&sel_netif_lock);
164 netif = sel_netif_find(ifindex); 168 netif = sel_netif_find(ifindex);
@@ -184,8 +188,13 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
184out: 188out:
185 spin_unlock_bh(&sel_netif_lock); 189 spin_unlock_bh(&sel_netif_lock);
186 dev_put(dev); 190 dev_put(dev);
187 if (ret != 0) 191 if (unlikely(ret)) {
192 printk(KERN_WARNING
193 "SELinux: failure in sel_netif_sid_slow(),"
194 " unable to determine network interface label (%d)\n",
195 ifindex);
188 kfree(new); 196 kfree(new);
197 }
189 return ret; 198 return ret;
190} 199}
191 200
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 49c527799240..f3c526f2cacb 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -264,8 +264,12 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
264 264
265out: 265out:
266 spin_unlock_bh(&sel_netnode_lock); 266 spin_unlock_bh(&sel_netnode_lock);
267 if (ret != 0) 267 if (unlikely(ret)) {
268 printk(KERN_WARNING
269 "SELinux: failure in sel_netnode_sid_slow(),"
270 " unable to determine network node label\n");
268 kfree(new); 271 kfree(new);
272 }
269 return ret; 273 return ret;
270} 274}
271 275