Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1778795imm; Thu, 20 Sep 2018 02:45:36 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdaz9VYOd2fFc5LqyKRYjS7MgbI2bG8lORlPOBPP2jteUs2HV/rvuoYowAHuIP8rcatDYKk3 X-Received: by 2002:a17:902:788e:: with SMTP id q14-v6mr3992694pll.49.1537436735964; Thu, 20 Sep 2018 02:45:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537436735; cv=none; d=google.com; s=arc-20160816; b=XIVm9jnhpWlqHWXtJV9AmtNnzA/34HNyxTY97LwuRD25sEgKiKQbmOfWcsgHnObX4o +No4HW1qCKW5cdw6G8X6KaMc6Np5PYsUPGs5JBEBw3IV0b6Fi5hxTUVOKGAKUVq8bZba W/QdB9HA2557V1bRb98ROEX/BWMCxhXxsxp/m7CuFEZzLCCN8NJcLQuhyusP3jL85/SH UlLZFbA7u4trQGgQDLrbD+RD0LT44UkirKtV6rZO9nkm1gfmiqux9W3eNpypy+MVOfSX CQ7GrTTrhi/Bh6GKcL9tkwybIJkS5qM2tobFZ058qg256Jhz1baPN/1pYnxb5D29Befw 6Xbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=iKqqxQD+pJSbiNHWUsBV15QGbqsziyY3kGR5V4ZAGYU=; b=o8oThGH6IoB0EdhjPBZ+g9N8+HNDZxRbhRYew3nrgz37moKGnp0vU9d4BbxX5GJi0P n+e+Jlr4VtustR8kkcNyj1+Z9MNaMSDhpNrnaZNmWe9K7XInOVtO8KXFXGDQaplHbVj0 IN9wioUyqeoIJiTAhoaGycfchR3cZvgySjjaSNV85Ds4leVJjyL9vZtFLyRGE8cUhSi9 dnn4GG2UZwUWQ2gQO9/L5Jh4BjX+LilTtH4+bIugTzizi7vFl7pOewJRIHTGiqS+O8Av JmKHNtfN/NZSmrYIKKTgi7lUsfqSPZ3sfjm7Mqi0RQVQQORmdwXScP83aGNn8Jd+GlA3 jQug== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y14-v6si23163477plp.371.2018.09.20.02.45.18; Thu, 20 Sep 2018 02:45:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387424AbeITP1s (ORCPT + 99 others); Thu, 20 Sep 2018 11:27:48 -0400 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:36522 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726669AbeITP1s (ORCPT ); Thu, 20 Sep 2018 11:27:48 -0400 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.89) (envelope-from ) id 1g2vW6-0002MW-Ca; Thu, 20 Sep 2018 11:44:58 +0200 Date: Thu, 20 Sep 2018 11:44:58 +0200 From: Florian Westphal To: Christian =?iso-8859-15?Q?G=F6ttsche?= Cc: fw@strlen.de, casey@schaufler-ca.com, pablo@netfilter.org, kadlec@blackhole.kfki.hu, davem@davemloft.net, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Paul Moore , Stephen Smalley , Eric Paris , jmorris@namei.org, serge@hallyn.com, selinux , linux-security-module@vger.kernel.org Subject: Re: [PATCH] netfilter: nf_tables: add SECMARK support Message-ID: <20180920094458.6hwaw3vgfsxvcgb4@breakpoint.cc> References: <20180919231402.4482-1-cgzones@googlemail.com> <75b3fed9-e549-4ed0-c435-ec4795fc1e39@schaufler-ca.com> <20180920085048.tps2v4jkko7zjav4@breakpoint.cc> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Christian G?ttsche wrote: > > Fixes should go into nf.git whereas feature goes to nf-next.git. > > No, that should not be a unroll fix. > Currently there are no objects registered by the main nf_tables > module, so for nft_secmark_obj_type I had to introduce this new logic. I see, ok. > > > > + if (err) { > > > > + if (err == -EINVAL) > > > > + pr_notice_ratelimited("invalid security context \'%s\'\n", priv->ctx); > > > > + else > > > > + pr_notice_ratelimited("unable to convert security context \'%s\': %d\n", priv->ctx, -err); > > > > + return; > > > > + } > > > > Please remove these printks(), they do not really help as user can't > > take any action anyway. > > Aren't they helpful? > "invalid security context" can pop up if someone supplies an invalid > SELinux context (nft add secmark inet filter sshtag > \"this_is_invalid\") and uses it Can't that be caught at ->init() time? We can then reject this via plain -EINVAL. No need for printk because caller knows which expression/object caused the error. > "unable to convert security context" can pop up if no LSM is enabled Can that be done at ->init() time when we can still reject the (invalid) rule? > "unable to map security context" should never happen, but one never knows Ok, but what is user supposed to do? This just causes perpetual spew of warnings in the kernel ring buffer. > "unable to obtain relabeling permission" can pop up if e.g. the > SELinux permission "kernel_t ssh_server_packet:packet relabelto" is > missing Makes sense, but this will need to be a plain return -EPERM, this function can only be used in process context.