diff options
| author | Paul Moore <paul.moore@hp.com> | 2008-01-29 08:51:16 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2008-01-29 16:17:30 -0500 |
| commit | 71f1cb05f773661b6fa98c7a635d7a395cd9c55d (patch) | |
| tree | a540f89c5d1d081ea2c09105f264adce44d92fa9 | |
| parent | effad8df44261031a882e1a895415f7186a5098e (diff) | |
SELinux: Add warning messages on network denial due to error
Currently network traffic can be sliently dropped due to non-avc errors which
can lead to much confusion when trying to debug the problem. This patch adds
warning messages so that when these events occur there is a user visible
notification.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
| -rw-r--r-- | security/selinux/hooks.c | 29 | ||||
| -rw-r--r-- | security/selinux/netif.c | 13 | ||||
| -rw-r--r-- | security/selinux/netnode.c | 6 |
3 files changed, 40 insertions, 8 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b3c064744d32..81bfcf114484 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -3443,6 +3443,11 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | |||
| 3443 | break; | 3443 | break; |
| 3444 | } | 3444 | } |
| 3445 | 3445 | ||
| 3446 | if (unlikely(ret)) | ||
| 3447 | printk(KERN_WARNING | ||
| 3448 | "SELinux: failure in selinux_parse_skb()," | ||
| 3449 | " unable to parse packet\n"); | ||
| 3450 | |||
| 3446 | return ret; | 3451 | return ret; |
| 3447 | } | 3452 | } |
| 3448 | 3453 | ||
| @@ -3463,6 +3468,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | |||
| 3463 | */ | 3468 | */ |
| 3464 | static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) | 3469 | static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) |
| 3465 | { | 3470 | { |
| 3471 | int err; | ||
| 3466 | u32 xfrm_sid; | 3472 | u32 xfrm_sid; |
| 3467 | u32 nlbl_sid; | 3473 | u32 nlbl_sid; |
| 3468 | u32 nlbl_type; | 3474 | u32 nlbl_type; |
| @@ -3470,10 +3476,13 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) | |||
| 3470 | selinux_skb_xfrm_sid(skb, &xfrm_sid); | 3476 | selinux_skb_xfrm_sid(skb, &xfrm_sid); |
| 3471 | selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); | 3477 | selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); |
| 3472 | 3478 | ||
| 3473 | if (security_net_peersid_resolve(nlbl_sid, nlbl_type, | 3479 | err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); |
| 3474 | xfrm_sid, | 3480 | if (unlikely(err)) { |
| 3475 | sid) != 0) | 3481 | printk(KERN_WARNING |
| 3482 | "SELinux: failure in selinux_skb_peerlbl_sid()," | ||
| 3483 | " unable to determine packet's peer label\n"); | ||
| 3476 | return -EACCES; | 3484 | return -EACCES; |
| 3485 | } | ||
| 3477 | 3486 | ||
| 3478 | return 0; | 3487 | return 0; |
| 3479 | } | 3488 | } |
| @@ -3925,8 +3934,13 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, | |||
| 3925 | err = security_port_sid(sk->sk_family, sk->sk_type, | 3934 | err = security_port_sid(sk->sk_family, sk->sk_type, |
| 3926 | sk->sk_protocol, ntohs(ad->u.net.sport), | 3935 | sk->sk_protocol, ntohs(ad->u.net.sport), |
| 3927 | &port_sid); | 3936 | &port_sid); |
| 3928 | if (err) | 3937 | if (unlikely(err)) { |
| 3938 | printk(KERN_WARNING | ||
| 3939 | "SELinux: failure in" | ||
| 3940 | " selinux_sock_rcv_skb_iptables_compat()," | ||
| 3941 | " network port label not found\n"); | ||
| 3929 | return err; | 3942 | return err; |
| 3943 | } | ||
| 3930 | return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); | 3944 | return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); |
| 3931 | } | 3945 | } |
| 3932 | 3946 | ||
| @@ -4343,8 +4357,13 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk, | |||
| 4343 | err = security_port_sid(sk->sk_family, sk->sk_type, | 4357 | err = security_port_sid(sk->sk_family, sk->sk_type, |
| 4344 | sk->sk_protocol, ntohs(ad->u.net.dport), | 4358 | sk->sk_protocol, ntohs(ad->u.net.dport), |
| 4345 | &port_sid); | 4359 | &port_sid); |
| 4346 | if (err) | 4360 | if (unlikely(err)) { |
| 4361 | printk(KERN_WARNING | ||
| 4362 | "SELinux: failure in" | ||
| 4363 | " selinux_ip_postroute_iptables_compat()," | ||
| 4364 | " network port label not found\n"); | ||
| 4347 | return err; | 4365 | return err; |
| 4366 | } | ||
| 4348 | return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); | 4367 | return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); |
| 4349 | } | 4368 | } |
| 4350 | 4369 | ||
diff --git a/security/selinux/netif.c b/security/selinux/netif.c index ee49a7382875..013d3117a86b 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c | |||
| @@ -157,8 +157,12 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) | |||
| 157 | * currently support containers */ | 157 | * currently support containers */ |
| 158 | 158 | ||
| 159 | dev = dev_get_by_index(&init_net, ifindex); | 159 | dev = dev_get_by_index(&init_net, ifindex); |
| 160 | if (dev == NULL) | 160 | if (unlikely(dev == NULL)) { |
| 161 | printk(KERN_WARNING | ||
| 162 | "SELinux: failure in sel_netif_sid_slow()," | ||
| 163 | " invalid network interface (%d)\n", ifindex); | ||
| 161 | return -ENOENT; | 164 | return -ENOENT; |
| 165 | } | ||
| 162 | 166 | ||
| 163 | spin_lock_bh(&sel_netif_lock); | 167 | spin_lock_bh(&sel_netif_lock); |
| 164 | netif = sel_netif_find(ifindex); | 168 | netif = sel_netif_find(ifindex); |
| @@ -184,8 +188,13 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) | |||
| 184 | out: | 188 | out: |
| 185 | spin_unlock_bh(&sel_netif_lock); | 189 | spin_unlock_bh(&sel_netif_lock); |
| 186 | dev_put(dev); | 190 | dev_put(dev); |
| 187 | if (ret != 0) | 191 | if (unlikely(ret)) { |
| 192 | printk(KERN_WARNING | ||
| 193 | "SELinux: failure in sel_netif_sid_slow()," | ||
| 194 | " unable to determine network interface label (%d)\n", | ||
| 195 | ifindex); | ||
| 188 | kfree(new); | 196 | kfree(new); |
| 197 | } | ||
| 189 | return ret; | 198 | return ret; |
| 190 | } | 199 | } |
| 191 | 200 | ||
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index 49c527799240..f3c526f2cacb 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c | |||
| @@ -264,8 +264,12 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid) | |||
| 264 | 264 | ||
| 265 | out: | 265 | out: |
| 266 | spin_unlock_bh(&sel_netnode_lock); | 266 | spin_unlock_bh(&sel_netnode_lock); |
| 267 | if (ret != 0) | 267 | if (unlikely(ret)) { |
| 268 | printk(KERN_WARNING | ||
| 269 | "SELinux: failure in sel_netnode_sid_slow()," | ||
| 270 | " unable to determine network node label\n"); | ||
| 268 | kfree(new); | 271 | kfree(new); |
| 272 | } | ||
| 269 | return ret; | 273 | return ret; |
| 270 | } | 274 | } |
| 271 | 275 | ||