Received: by 10.223.185.116 with SMTP id b49csp8848223wrg; Fri, 2 Mar 2018 08:57:23 -0800 (PST) X-Google-Smtp-Source: AG47ELuSDixFKkau00YfAlej4BgNIFoQ0L4tq8pCC0YCjccmYiKGB9CzFWth3ulBWGw2GSr8E0oo X-Received: by 10.98.77.194 with SMTP id a185mr6296092pfb.123.1520009843485; Fri, 02 Mar 2018 08:57:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520009843; cv=none; d=google.com; s=arc-20160816; b=xUQVcwD8cEVjoZnJSRooVTVmlnw9BAsB+uFuPSBs/XgN1jL/KRO7UiRKE3v15V41sE 3F6X1JQofRkKiGvyKMr5cCnelju+MM92Et1GQI8RT8G/mK4EIOOyVE0rzFWrrIIiWPQ3 wL/FEuMcdH+qGGcU1+tObYSUtzAt3B/xhg/LcEm1s1XPGCQ0butf2OAVRj3CfHfTb32W IFrEN4R6nxvvD0JOEL6DqqpqJ6Cox0Sz5mTF5vIhsR5QdVNrL/CcF+EgzRSz8dFxiet5 RWTvfoL/v/sgmQ0TAV7ktMyXPIMBCpgx6LPir3VhznL1Of1jkAmTWiUJrOfDLaN5FQk4 c5SA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=048dmmydV7IAGZqrYxM7EyUe29btr9OP1Wt8Zu/yr1o=; b=vFzdPFF6EF8j0nx42I3jIg+ehyKVqtLVnRP7XGkRjv+d5T3M2jb3eDWe9aOppiqyoB KtzRtIsxi45GlTj5RUsLNd4ZejQQdXGgBCQHrk5ZITpPDbmtqWJfe4vnbSVH8wPXG0V0 fnSyN7wlLzYit29lQzdcqKo6qoSjeRLrT2MZybcQPAPfXWTjSAQ5jk1U2lCPu58oQm/z +SfWQf+OE9vENqL+g3IuJfjkD3tbLhruF5UPCWXddqZ0JB1x9KpxsPaIWgL/NjTC2shE YCSNLIYB45zXdgbwQTuoogTEb2NnkP3ruWlUTnGTGDoucXNhL0C4/o4/CFb08F2FrUGv KTmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@btinternet.com header.s=btcpcloud header.b=Um+bfgba; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=REJECT dis=NONE) header.from=btinternet.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u6si4201684pgc.707.2018.03.02.08.57.08; Fri, 02 Mar 2018 08:57:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@btinternet.com header.s=btcpcloud header.b=Um+bfgba; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=REJECT dis=NONE) header.from=btinternet.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1034493AbeCBQ4F (ORCPT + 99 others); Fri, 2 Mar 2018 11:56:05 -0500 Received: from rgout0306.bt.lon5.cpcloud.co.uk ([65.20.0.212]:59689 "EHLO rgout03.bt.lon5.cpcloud.co.uk" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1034475AbeCBQ4D (ORCPT ); Fri, 2 Mar 2018 11:56:03 -0500 X-OWM-Source-IP: 86.134.48.2 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-RazorGate-Vade-Classification: clean X-RazorGate-Vade-Verdict: clean 0 X-VadeSecure-score: verdict=clean score=0/300, class=clean X-SNCR-VADESECURE: CLEAN X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedtfedrieelgdelgecutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepkffuhffvffgjfhgtofgggfesthejredtredtjeenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuffhomhgrihhnpehgihhthhhusgdrtghomhdpphgruhhlqdhmohhorhgvrdgtohhmnecukfhppeekiedrudefgedrgeekrddvnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghl Received: from localhost.localdomain (86.134.48.2) by rgout03.bt.lon5.cpcloud.co.uk (9.0.019.21-1) (authenticated as richard_c_haines@btinternet.com) id 5A8EA5EA00C311E1; Fri, 2 Mar 2018 16:55:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btcpcloud; t=1520009763; bh=048dmmydV7IAGZqrYxM7EyUe29btr9OP1Wt8Zu/yr1o=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References:X-Mailer:Mime-Version; b=Um+bfgba555CK3KWlXetVqhZr/gliYYzHDltdEBBGcxSQI7tSv0uved4vtoOJURD83fyNRII8ZRrzX1W9JPtA4ossUAm0v8lOJPyUaJxzlBD1HTfQ5s1P3VlY+kFP+j9xSJaS/qZuEB8ly8CGGtMtyfW0QZt9XDFLXXSubyvS/o= Message-ID: <1520009758.23261.2.camel@btinternet.com> Subject: Re: Regression found when running LTP connect01 on next-20180301 From: Richard Haines To: Paul Moore Cc: netdev@vger.kernel.org, selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, anders.roxell@linaro.org Date: Fri, 02 Mar 2018 16:55:58 +0000 In-Reply-To: <161e2bc0f58.2781.85c95baa4474aabc7814e68940a78392@paul-moore.com> References: <20180301083316.GA6779@localhost.localdomain> <1519914989.3063.1.camel@btinternet.com> <161e2bc0f58.2781.85c95baa4474aabc7814e68940a78392@paul-moore.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.5 (3.26.5-1.fc27) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2018-03-01 at 13:03 -0500, Paul Moore wrote: > On March 1, 2018 9:36:37 AM Richard Haines et.com> wrote: > > On Thu, 2018-03-01 at 08:42 -0500, Paul Moore wrote: > > > On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell > > ro.o > > > rg> wrote: > > > > Hi, > > > > > > > > I was running LTP's testcase connect01 [1] and found a > > > > regression > > > > in linux-next > > > > (next-20180301). Bisect gave me this patch as the problematic > > > > patch (sha > > > > d452930fd3b9 "selinux: Add SCTP support") on a x86 target. > > > > > > > > Output from the test(LTP release 20180118): > > > > $ cd /opt/ltp/ > > > > $ cat runtest/syscalls |grep connect01>runtest/connect-syscall > > > > $ ./runltp -pq -f connect-syscall > > > > " > > > > Running tests....... > > > > connect01 1 TPASS : bad file descriptor successful > > > > connect01 2 TPASS : invalid socket buffer successful > > > > connect01 3 TPASS : invalid salen successful > > > > connect01 4 TPASS : invalid socket successful > > > > connect01 5 TPASS : already connected successful > > > > connect01 6 TPASS : connection refused successful > > > > connect01 7 TFAIL : connect01.c:146: invalid address > > > > family ; > > > > returned -1 (expected -1), errno 22 (expected 97) > > > > INFO: ltp-pan reported some tests FAIL > > > > LTP Version: 20180118 > > > > " > > > > > > > > The output from the test expected 97 and we received 22, can > > > > you > > > > please > > > > elaborate on what have been changed? > > > > > > > > Cheers, > > > > Anders > > > > [1] https://github.com/linux-test-project/ltp/blob/20180118/tes > > > > tcas > > > > es/kernel/syscalls/connect/connect01.c#L146 > > > > > > Hi Anders, > > > > > > Thanks for the report. Out of curiosity, we're you running the > > > full > > > LTP test suite and this was the only failure, or did you just run > > > the > > > connect01 test? Either answer is fine, I'm just trying to > > > understand > > > the scope of the regression. > > > > > > Richard, are you able to look into this? If not, let me know and > > > I'll > > > dig a bit deeper (I'll likely take a quick look today, but if the > > > failure is subtle it might require some digging). > > > > I'll have a look today. > > One more thing I forgot to mention earlier, if there is a patch to > fix this, could you please base it on top of the existing > SELinux/SCTP patches that have already been merged, and not respin an > earlier patch? > > Thank you. Just to keep you informed: It appears that with the original hooks.c selinux_socket_connect() function check: if (sk->sk_family == PF_INET) {, the test fell through as sk->sk_family = 2 (AF_INET) with the error being picked up by the caller - even though the test set an illegal family of 47 - but not on the sk->sk_family, hence: With the new check: if (address->sa_family == AF_INET) {, the address- >sa_family = 47 and therefore treated it as an IPv6 address and failed with -EINVAL. By a fluke this is what SCTP services expects when invalid address family, however TCP and DCCP requires -EAFNOSUPPORT. I can fix this with the following simple patch: switch (address->sa_family) { case AF_INET: addr4 = (struct sockaddr_in *)address; if (addrlen < sizeof(struct sockaddr_in)) return -EINVAL; snum = ntohs(addr4->sin_port); break; case AF_INET6: addr6 = (struct sockaddr_in6 *)address; if (addrlen < SIN6_LEN_RFC2133) return -EINVAL; snum = ntohs(addr6->sin6_port); break; default: /* Note that SCTP services expect -EINVAL, whereas * others expect -EAFNOSUPPORT. */ if (sksec->sclass == SECCLASS_SCTP_SOCKET) return -EINVAL; else return -EAFNOSUPPORT; } This will pass the following LTP tests: ./runltp -pq -f connect-syscall ./runltp -pq -f net.sctp The selinux-testsuite inet_socket and sctp tests all pass as well. However: The selinux_socket_bind() function has the same issue that can be fixed by the same type of patch. So far I've tested three different patches to fix this problem and this one above seems best. I'll post a patch based on this covering the bind issue as well once I've done more testing. I think the SCTP services should return -EAFNOSUPPORT for this (as their sctp_connectx(3) man page states this), that will require kernel patch and patches to their test services (plus of course may impact some apps already out there ??). > > -- > paul moore > www.paul-moore.com > >