summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-01-29 14:51:16 +0100
committerJames Morris <jmorris@namei.org>2008-01-29 22:17:30 +0100
commit71f1cb05f773661b6fa98c7a635d7a395cd9c55d (patch)
treea540f89c5d1d081ea2c09105f264adce44d92fa9
parentSELinux: Add network ingress and egress control permission checks (diff)
downloadlinux-71f1cb05f773661b6fa98c7a635d7a395cd9c55d.tar.xz
linux-71f1cb05f773661b6fa98c7a635d7a395cd9c55d.zip
SELinux: Add warning messages on network denial due to error
Currently network traffic can be sliently dropped due to non-avc errors which can lead to much confusion when trying to debug the problem. This patch adds warning messages so that when these events occur there is a user visible notification. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/selinux/hooks.c29
-rw-r--r--security/selinux/netif.c13
-rw-r--r--security/selinux/netnode.c6
3 files changed, 40 insertions, 8 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b3c064744d32..81bfcf114484 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3443,6 +3443,11 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
break;
}
+ if (unlikely(ret))
+ printk(KERN_WARNING
+ "SELinux: failure in selinux_parse_skb(),"
+ " unable to parse packet\n");
+
return ret;
}
@@ -3463,6 +3468,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
*/
static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
{
+ int err;
u32 xfrm_sid;
u32 nlbl_sid;
u32 nlbl_type;
@@ -3470,10 +3476,13 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
selinux_skb_xfrm_sid(skb, &xfrm_sid);
selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
- if (security_net_peersid_resolve(nlbl_sid, nlbl_type,
- xfrm_sid,
- sid) != 0)
+ err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
+ if (unlikely(err)) {
+ printk(KERN_WARNING
+ "SELinux: failure in selinux_skb_peerlbl_sid(),"
+ " unable to determine packet's peer label\n");
return -EACCES;
+ }
return 0;
}
@@ -3925,8 +3934,13 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
err = security_port_sid(sk->sk_family, sk->sk_type,
sk->sk_protocol, ntohs(ad->u.net.sport),
&port_sid);
- if (err)
+ if (unlikely(err)) {
+ printk(KERN_WARNING
+ "SELinux: failure in"
+ " selinux_sock_rcv_skb_iptables_compat(),"
+ " network port label not found\n");
return err;
+ }
return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
}
@@ -4343,8 +4357,13 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
err = security_port_sid(sk->sk_family, sk->sk_type,
sk->sk_protocol, ntohs(ad->u.net.dport),
&port_sid);
- if (err)
+ if (unlikely(err)) {
+ printk(KERN_WARNING
+ "SELinux: failure in"
+ " selinux_ip_postroute_iptables_compat(),"
+ " network port label not found\n");
return err;
+ }
return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
}
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index ee49a7382875..013d3117a86b 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -157,8 +157,12 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
* currently support containers */
dev = dev_get_by_index(&init_net, ifindex);
- if (dev == NULL)
+ if (unlikely(dev == NULL)) {
+ printk(KERN_WARNING
+ "SELinux: failure in sel_netif_sid_slow(),"
+ " invalid network interface (%d)\n", ifindex);
return -ENOENT;
+ }
spin_lock_bh(&sel_netif_lock);
netif = sel_netif_find(ifindex);
@@ -184,8 +188,13 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
out:
spin_unlock_bh(&sel_netif_lock);
dev_put(dev);
- if (ret != 0)
+ if (unlikely(ret)) {
+ printk(KERN_WARNING
+ "SELinux: failure in sel_netif_sid_slow(),"
+ " unable to determine network interface label (%d)\n",
+ ifindex);
kfree(new);
+ }
return ret;
}
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 49c527799240..f3c526f2cacb 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -264,8 +264,12 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
out:
spin_unlock_bh(&sel_netnode_lock);
- if (ret != 0)
+ if (unlikely(ret)) {
+ printk(KERN_WARNING
+ "SELinux: failure in sel_netnode_sid_slow(),"
+ " unable to determine network node label\n");
kfree(new);
+ }
return ret;
}