It's not a critical issue, thus the patches are based on net-next.
Patches are splitted because the 'Fixes' tag is not the same for all commands.
security/selinux/nlmsgtab.c | 7 +++++++
1 file changed, 7 insertions(+)
Regards,
Nicolas
These new commands are missing.
Fixes: 0c7aecd4bde4 ("netns: add rtnl cmd to add and get peer netns ids")
Signed-off-by: Nicolas Dichtel <[email protected]>
---
security/selinux/nlmsgtab.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 2df7b900e259..91228a730801 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -73,6 +73,8 @@ static struct nlmsg_perm nlmsg_route_perms[] =
{ RTM_NEWMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETMDB, NETLINK_ROUTE_SOCKET__NLMSG_READ },
+ { RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+ { RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
};
static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
--
2.2.2
This new command is missing.
Fixes: 9a9634545c70 ("netns: notify netns id events")
Signed-off-by: Nicolas Dichtel <[email protected]>
---
security/selinux/nlmsgtab.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 91228a730801..c8cee0766b60 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -74,6 +74,7 @@ static struct nlmsg_perm nlmsg_route_perms[] =
{ RTM_DELMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETMDB, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+ { RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
};
--
2.2.2
This new command is missing.
Fixes: 880a6fab8f6b ("xfrm: configure policy hash table thresholds by netlink")
Reported-by: Christophe Gouault <[email protected]>
Signed-off-by: Nicolas Dichtel <[email protected]>
---
security/selinux/nlmsgtab.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index c8cee0766b60..4bc90c2aaea2 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -103,6 +103,7 @@ static struct nlmsg_perm nlmsg_xfrm_perms[] =
{ XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
};
static struct nlmsg_perm nlmsg_audit_perms[] =
--
2.2.2
This command is missing.
Fixes: ecfd6b183780 ("[XFRM]: Export SPD info")
Signed-off-by: Nicolas Dichtel <[email protected]>
---
security/selinux/nlmsgtab.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 4bc90c2aaea2..d4bccfcfcf2d 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -104,6 +104,7 @@ static struct nlmsg_perm nlmsg_xfrm_perms[] =
{ XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
};
static struct nlmsg_perm nlmsg_audit_perms[] =
--
2.2.2
These commands are missing.
Fixes: 28d8909bc790 ("[XFRM]: Export SAD info.")
Signed-off-by: Nicolas Dichtel <[email protected]>
---
security/selinux/nlmsgtab.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index d4bccfcfcf2d..4e21b72dd709 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -103,6 +103,8 @@ static struct nlmsg_perm nlmsg_xfrm_perms[] =
{ XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
};
--
2.2.2
From: Nicolas Dichtel <[email protected]>
Date: Wed, 8 Apr 2015 18:36:37 +0200
> It's not a critical issue, thus the patches are based on net-next.
>
> Patches are splitted because the 'Fixes' tag is not the same for all
> commands.
Series applied, thanks Nicolas.
On Wed, Apr 8, 2015 at 12:36 PM, Nicolas Dichtel
<[email protected]> wrote:
> This new command is missing.
>
> Fixes: 9a9634545c70 ("netns: notify netns id events")
> Signed-off-by: Nicolas Dichtel <[email protected]>
> ---
> security/selinux/nlmsgtab.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
> index 91228a730801..c8cee0766b60 100644
> --- a/security/selinux/nlmsgtab.c
> +++ b/security/selinux/nlmsgtab.c
> @@ -74,6 +74,7 @@ static struct nlmsg_perm nlmsg_route_perms[] =
> { RTM_DELMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
> { RTM_GETMDB, NETLINK_ROUTE_SOCKET__NLMSG_READ },
> { RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
> + { RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
> { RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
> };
Can you elaborate a bit on the RTM_DELNSID type? Based only on the
name I wonder if it should be treated as a "write" and not a "read"
operation.
--
paul moore
http://www.paul-moore.com
On 04/08/2015 12:36 PM, Nicolas Dichtel wrote:
> This new command is missing.
>
> Fixes: 880a6fab8f6b ("xfrm: configure policy hash table thresholds by netlink")
> Reported-by: Christophe Gouault <[email protected]>
> Signed-off-by: Nicolas Dichtel <[email protected]>
> ---
> security/selinux/nlmsgtab.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
> index c8cee0766b60..4bc90c2aaea2 100644
> --- a/security/selinux/nlmsgtab.c
> +++ b/security/selinux/nlmsgtab.c
> @@ -103,6 +103,7 @@ static struct nlmsg_perm nlmsg_xfrm_perms[] =
> { XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
> { XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
> { XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
> + { XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
> };
>
> static struct nlmsg_perm nlmsg_audit_perms[] =
>
Seem to be missing a number of the other commands defined in
include/uapi/linux/xfrm.h as well, e.g. XFRM_MSG_REPORT,
XFRM_MSG_MIGRATE, XFRM_MSG_NEWSADINFO, XFRM_MSG_GETSADINFO,
XFRM_MSG_GETSPDINFO, XFRM_MSG_MAPPING.
Le 09/04/2015 13:10, Paul Moore a écrit :
[snip]
>> --- a/security/selinux/nlmsgtab.c
>> +++ b/security/selinux/nlmsgtab.c
>> @@ -74,6 +74,7 @@ static struct nlmsg_perm nlmsg_route_perms[] =
>> { RTM_DELMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>> { RTM_GETMDB, NETLINK_ROUTE_SOCKET__NLMSG_READ },
>> { RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>> + { RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
>> { RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
>> };
>
> Can you elaborate a bit on the RTM_DELNSID type? Based only on the
> name I wonder if it should be treated as a "write" and not a "read"
> operation.
The user is not allowed to delete a nsid (no method is implemented). This
RTM_DELNSID is only used for notifications.
Le 09/04/2015 14:32, Stephen Smalley a ?crit :
[snip]
> Seem to be missing a number of the other commands defined in
> include/uapi/linux/xfrm.h as well, e.g. XFRM_MSG_REPORT,
> XFRM_MSG_MIGRATE, XFRM_MSG_NEWSADINFO, XFRM_MSG_GETSADINFO,
> XFRM_MSG_GETSPDINFO, XFRM_MSG_MAPPING.
Right, I will provide a patch.
Thank you,
Nicolas
On Thu, Apr 9, 2015 at 9:10 AM, Nicolas Dichtel
<[email protected]> wrote:
> Le 09/04/2015 13:10, Paul Moore a écrit :
> [snip]
>>>
>>> --- a/security/selinux/nlmsgtab.c
>>> +++ b/security/selinux/nlmsgtab.c
>>> @@ -74,6 +74,7 @@ static struct nlmsg_perm nlmsg_route_perms[] =
>>> { RTM_DELMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>>> { RTM_GETMDB, NETLINK_ROUTE_SOCKET__NLMSG_READ },
>>> { RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>>> + { RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
>>> { RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
>>> };
>>
>>
>> Can you elaborate a bit on the RTM_DELNSID type? Based only on the
>> name I wonder if it should be treated as a "write" and not a "read"
>> operation.
>
> The user is not allowed to delete a nsid (no method is implemented). This
> RTM_DELNSID is only used for notifications.
Okay, thanks for clearing that up.
--
paul moore
http://www.paul-moore.com
With this series, xfrm commands are fully synchronized.
security/selinux/nlmsgtab.c | 3 +++
1 file changed, 3 insertions(+)
Regards,
Nicolas
This command is missing.
Fixes: 97a64b4577ae ("[XFRM]: Introduce XFRM_MSG_REPORT.")
Reported-by: Stephen Smalley <[email protected]>
Signed-off-by: Nicolas Dichtel <[email protected]>
---
security/selinux/nlmsgtab.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 4e21b72dd709..7d49312b30e1 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -103,6 +103,7 @@ static struct nlmsg_perm nlmsg_xfrm_perms[] =
{ XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_REPORT, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
--
2.2.2
This command is missing.
Fixes: 5c79de6e79cd ("[XFRM]: User interface for handling XFRM_MSG_MIGRATE")
Reported-by: Stephen Smalley <[email protected]>
Signed-off-by: Nicolas Dichtel <[email protected]>
---
security/selinux/nlmsgtab.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 7d49312b30e1..9bd7f93109a1 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -104,6 +104,7 @@ static struct nlmsg_perm nlmsg_xfrm_perms[] =
{ XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_REPORT, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_MIGRATE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
--
2.2.2
This command is missing.
Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink")
CC: Martin Willi <[email protected]>
Reported-by: Stephen Smalley <[email protected]>
Signed-off-by: Nicolas Dichtel <[email protected]>
---
security/selinux/nlmsgtab.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 9bd7f93109a1..30594bfa5fb1 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -109,6 +109,7 @@ static struct nlmsg_perm nlmsg_xfrm_perms[] =
{ XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ },
};
static struct nlmsg_perm nlmsg_audit_perms[] =
--
2.2.2
From: Nicolas Dichtel <[email protected]>
Date: Fri, 10 Apr 2015 16:24:25 +0200
> With this series, xfrm commands are fully synchronized.
Series applied, thanks.