From: Evgeniy Polyakov <johnpol@2ka•mipt.ru>
To: James Morris <jmorris@namei•org>
Cc: "David S. Miller" <davem@davemloft•net>,
Herbert Xu <herbert@gondor•apana.org.au>,
netdev@vger•kernel.org, Stephen Smalley <sds@tycho•nsa.gov>,
Venkat Yekkirala <vyekkirala@TrustedCS•com>,
Paul Moore <paul.moore@hp•com>
Subject: Re: [PATCH] Fix for IPsec leakage with SELinux enabled
Date: Mon, 2 Oct 2006 15:20:51 +0400 [thread overview]
Message-ID: <20061002112050.GA772@2ka.mipt.ru> (raw)
In-Reply-To: <Pine.LNX.4.64.0610010203440.8658@d.namei>
On Sun, Oct 01, 2006 at 02:27:13AM -0400, James Morris (jmorris@namei•org) wrote:
> Please review this patch carefully. It addresses a couple of issues.
>
> When a security module is loaded (in this case, SELinux), the
> security_xfrm_policy_lookup() hook can return an access denied permission
> (or other error). We were not handling that correctly, and in fact
> inverting the return logic and propagating a false "ok" back up to
> xfrm_lookup(), which then allowed packets to pass as if they were not
> associated with an xfrm policy.
>
> The way I was seeing the problem was when connecting via IPsec to a
> confined service on an SELinux box (vsftpd), which did not have the
> appropriate SELinux policy permissions to send packets via IPsec.
>
> The first SYNACK would be blocked, because of an uncached lookup via
> flow_cache_lookup(), which would fail to resolve an xfrm policy because
> the SELinux policy is checked at that point via the resolver.
>
> However, retransmitted SYNACKs would then find a cached flow entry when
> calling into flow_cache_lookup() with a null xfrm policy, which is
> interpreted by xfrm_lookup() as the packet not having any associated
> policy and similarly to the first case, allowing it to pass without
> transformation.
>
> The solution presented here is to first ensure that errno values are
> correctly propagated all the way back up through the various call chains
> from security_xfrm_policy_lookup(), and handled correctly.
>
> Then, flow_cache_lookup() is modified, so that if the policy resolver
> fails (typically a permission denied via the security module), the flow
> cache entry is killed rather than having a null policy assigned (which
> indicates that the packet can pass freely). This also forces any future
> lookups for the same flow to consult the security module (e.g. SELinux)
> for current security policy (rather than, say, caching the error on the
> flow cache entry).
>
> I've done quite a bit of testing and not seen any problems, although the
> patch could certainly do with further review.
>
> Evgeniy, please let me know if this fixes your problem.
With that patch applied I got kernel panic after some time.
Unfortunately I have not installed serial console, so the most
interesting bits of the stack dump are not visible.
Here is the last ones which are on the screen:
ip_rcv
ip_rcv_finish
packet_rcv_spkt
ip_rcv
netif_receive_skb
sys_accept
skge_poll
and some other uninteresting stuff like hrtimer, softirq and the like...
EIP is at xfrm_lookup+0x43d/0x470
Notice packet socket handler in the trace, may be it can help - I ran
system with tcpdump started.
--
Evgeniy Polyakov
next prev parent reply other threads:[~2006-10-02 11:21 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-22 11:29 Is TCP over IPsec broken in 2.6.18? Evgeniy Polyakov
2006-09-22 11:35 ` Evgeniy Polyakov
2006-09-22 12:19 ` Evgeniy Polyakov
2006-09-22 12:23 ` Patrick McHardy
2006-09-22 14:03 ` Evgeniy Polyakov
2006-09-22 15:15 ` James Morris
2006-09-22 15:47 ` James Morris
2006-09-23 4:29 ` Evgeniy Polyakov
2006-09-24 5:11 ` James Morris
2006-09-24 9:08 ` Patrick McHardy
2006-09-24 14:33 ` James Morris
2006-09-24 23:54 ` Herbert Xu
[not found] ` <20060925103836.GA13966@2ka.mipt.ru>
2006-09-25 11:27 ` Herbert Xu
2006-09-25 12:05 ` Evgeniy Polyakov
2006-09-25 12:55 ` jamal
2006-09-30 5:06 ` James Morris
2006-09-30 5:14 ` James Morris
2006-09-30 7:41 ` James Morris
2006-09-30 11:15 ` Evgeniy Polyakov
2006-09-30 14:36 ` James Morris
2006-09-30 14:40 ` Evgeniy Polyakov
2006-09-30 14:42 ` Evgeniy Polyakov
2006-09-30 14:44 ` James Morris
2006-10-01 6:27 ` [PATCH] Fix for IPsec leakage with SELinux enabled James Morris
2006-10-02 11:20 ` Evgeniy Polyakov [this message]
2006-10-02 13:31 ` James Morris
2006-10-02 13:42 ` Evgeniy Polyakov
2006-10-02 14:05 ` James Morris
2006-10-02 14:27 ` [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 James Morris
2006-10-02 16:00 ` Evgeniy Polyakov
2006-10-02 16:13 ` James Morris
2006-10-02 16:30 ` Evgeniy Polyakov
2006-10-02 16:41 ` James Morris
2006-10-04 5:08 ` Evgeniy Polyakov
2006-10-04 13:00 ` James Morris
2006-10-03 23:18 ` David Miller
2006-10-04 1:33 ` James Morris
2006-10-04 13:41 ` Herbert Xu
2006-10-05 20:58 ` James Morris
2006-10-05 21:04 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2006-10-01 20:55 [PATCH] Fix for IPsec leakage with SELinux enabled Venkat Yekkirala
2006-10-02 1:44 ` James Morris
2006-10-02 17:09 Venkat Yekkirala
2006-10-02 18:39 ` James Morris
2006-10-02 18:59 Venkat Yekkirala
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061002112050.GA772@2ka.mipt.ru \
--to=johnpol@2ka$(echo .)mipt.ru \
--cc=davem@davemloft$(echo .)net \
--cc=herbert@gondor$(echo .)apana.org.au \
--cc=jmorris@namei$(echo .)org \
--cc=netdev@vger$(echo .)kernel.org \
--cc=paul.moore@hp$(echo .)com \
--cc=sds@tycho$(echo .)nsa.gov \
--cc=vyekkirala@TrustedCS$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox