From: Evgeniy Polyakov <zbr@ioremap•net>
To: Samir Bellabes <sam@synack•fr>
Cc: linux-security-module@vger•kernel.org,
Patrick McHardy <kaber@trash•net>, jamal <hadi@cyberus•ca>,
Neil Horman <nhorman@tuxdriver•com>,
netdev@vger•kernel.org, netfilter-devel@vger•kernel.org
Subject: Re: [RFC 6/9] snet: introduce snet_hooks.c and snet_hook.h
Date: Sat, 2 Jan 2010 23:13:03 +0300 [thread overview]
Message-ID: <20100102201303.GB27402@ioremap.net> (raw)
In-Reply-To: <1262437456-24476-7-git-send-email-sam@synack.fr>
Hi.
On Sat, Jan 02, 2010 at 02:04:13PM +0100, Samir Bellabes (sam@synack•fr) wrote:
> This patch adds the snet LSM's subsystem
>
> snet_hooks provides the security hook's functions and the security_operations
> structure. Currently hook functions are only related to network stack.
>
> For each hook function, there is a generic mecanism:
> 0. check if the event [syscall, protocol] is registered
> 1. prepare informations for userspace
> 2. send informations to userspace (snet_netlink)
> 3. wait for verdict from userspace (snet_verdict)
> 4. apply verdict for the syscall
>
> steps 3 and 4 are only valid for LSM hooks which are returning a value (a way to
> 'filter' the syscall). For hooks returning 'void', steps 3 and 4 don't exist,
> but snet sends security informations to userspace (step 2) to update the global
> security policy.
>
> Signed-off-by: Samir Bellabes <sam@synack•fr>
> ---
> +#define SNET_DBG_V4() \
> + snet_dbg("%u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", \
> + NIPQUAD(info.src.u3.ip), info.src.u.port, \
> + NIPQUAD(info.dst.u3.ip), info.dst.u.port)
> +
> +#define SNET_DBG_V6() \
> + snet_dbg("%pI6:%u->%pI6:%u\n", \
> + &info.src.u3.ip, info.src.u.port, \
> + &info.dst.u3.ip, info.dst.u.port)
> +
There are cool %pi4 and %pi6 format modifiers for IP addresses.
> +#define SNET_CHECK_LISTENERS() \
> +do { \
> + if (atomic_read(&snet_num_listeners) < 0) { \
> + snet_dbg("number of listeners is negative\n"); \
> + verdict = SNET_VERDICT_GRANT; \
> + goto out; \
> + } else if (atomic_read(&snet_num_listeners) == 0) { \
> + verdict = SNET_VERDICT_GRANT; \
> + goto out; \
> + } \
> +} while (0)
> +
> +#define SNET_DO_VERDICT(sys, family) \
> +do { \
> + if (verdict_id == 0) \
> + goto skip_send_wait; \
> + /* sending networking informations to userspace */ \
> + snet_nl_send_event(verdict_id, sys, protocol, \
> + family, (void *)&info, \
> + sizeof(struct snet_sock_info)); \
> + /* waiting for userspace reply or timeout */ \
> + verdict = snet_verdict_wait(verdict_id); \
> + /* removing verdict */ \
> + snet_verdict_remove(verdict_id); \
> +} while (0)
> +
> +#define SNET_CHECK_LISTENERS_NOVERDICT() \
> +do { \
> + if (atomic_read(&snet_num_listeners) < 0) { \
> + snet_dbg("number of listeners is negative\n"); \
> + goto out; \
> + } else if (atomic_read(&snet_num_listeners) == 0) { \
> + goto out; \
> + } \
> +} while (0)
> +
> +#define SNET_DO_SEND_EVENT(sys, family) \
> +do { \
> + /* sending networking informations to userspace */ \
> + snet_nl_send_event(0, sys, protocol, \
> + family, (void *)&info, \
> + sizeof(struct snet_sock_info)); \
> +} while (0)
> +
Why do you need those ugly macroses which reference external objects?
Can it be refactored into some inline function with common error value
instead?
--
Evgeniy Polyakov
next prev parent reply other threads:[~2010-01-02 20:13 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-02 13:04 [RFC 0/9] snet: Security for NETwork syscalls Samir Bellabes
2010-01-02 13:04 ` [RFC 1/9] lsm: add security_socket_closed() Samir Bellabes
2010-01-04 18:33 ` Serge E. Hallyn
2010-01-02 13:04 ` [RFC 2/9] Revert "lsm: Remove the socket_post_accept() hook" Samir Bellabes
2010-01-04 18:36 ` Serge E. Hallyn
2010-01-05 0:31 ` Tetsuo Handa
2010-01-05 0:38 ` Serge E. Hallyn
2010-01-02 13:04 ` [RFC 3/9] snet: introduce security/snet, Makefile and Kconfig changes Samir Bellabes
2010-01-04 18:39 ` Serge E. Hallyn
2010-01-06 6:04 ` Samir Bellabes
2010-01-02 13:04 ` [RFC 4/9] snet: introduce snet_core.c and snet.h Samir Bellabes
2010-01-04 14:43 ` Patrick McHardy
2010-01-06 18:23 ` Samir Bellabes
2010-01-06 19:46 ` Samir Bellabes
2010-01-06 19:58 ` Evgeniy Polyakov
2010-01-23 2:07 ` Samir Bellabes
2010-01-23 2:18 ` Evgeniy Polyakov
2010-01-07 14:34 ` Samir Bellabes
2010-01-07 14:53 ` Samir Bellabes
2010-01-07 14:58 ` Samir Bellabes
2010-01-08 4:32 ` Samir Bellabes
2010-01-04 18:42 ` Serge E. Hallyn
2010-01-06 6:12 ` Samir Bellabes
2010-01-02 13:04 ` [RFC 5/9] snet: introduce snet_event.c and snet_event.h Samir Bellabes
2010-01-02 20:09 ` Evgeniy Polyakov
2010-01-02 23:38 ` Samir Bellabes
2010-01-04 19:08 ` Serge E. Hallyn
2010-01-08 7:21 ` Samir Bellabes
2010-01-08 15:34 ` Serge E. Hallyn
2010-01-08 17:44 ` Samir Bellabes
2010-01-08 17:51 ` Samir Bellabes
2010-01-08 18:10 ` Serge E. Hallyn
2010-01-02 13:04 ` [RFC 6/9] snet: introduce snet_hooks.c and snet_hook.h Samir Bellabes
2010-01-02 20:13 ` Evgeniy Polyakov [this message]
2010-01-03 11:10 ` Samir Bellabes
2010-01-03 19:16 ` Stephen Hemminger
2010-01-03 22:26 ` Samir Bellabes
2010-01-02 13:04 ` [RFC 7/9] snet: introduce snet_netlink.c and snet_netlink.h Samir Bellabes
2010-01-04 15:08 ` Patrick McHardy
2010-01-13 4:19 ` Samir Bellabes
2010-01-13 4:28 ` Samir Bellabes
2010-01-13 5:36 ` Patrick McHardy
2010-01-13 4:36 ` Samir Bellabes
2010-01-13 4:41 ` Samir Bellabes
2010-01-13 6:03 ` Samir Bellabes
2010-01-13 6:20 ` Samir Bellabes
2010-01-15 7:02 ` Samir Bellabes
2010-01-15 9:15 ` Samir Bellabes
2010-01-16 1:59 ` Samir Bellabes
2010-01-17 5:42 ` Samir Bellabes
2010-01-23 19:33 ` Samir Bellabes
2010-01-02 13:04 ` [RFC 8/9] snet: introduce snet_verdict.c and snet_verdict.h Samir Bellabes
2010-01-02 13:04 ` [RFC 9/9] snet: introduce snet_utils.c and snet_utils.h Samir Bellabes
2010-01-03 16:57 ` [RFC 0/9] snet: Security for NETwork syscalls jamal
2010-01-05 7:26 ` Samir Bellabes
2010-01-05 8:20 ` Tetsuo Handa
2010-01-05 14:09 ` Serge E. Hallyn
2010-01-06 0:23 ` [PATCH] LSM: Update comment on security_sock_rcv_skb Tetsuo Handa
2010-01-06 3:27 ` Serge E. Hallyn
2010-01-10 21:53 ` James Morris
2010-01-10 16:20 ` [RFC 0/9] snet: Security for NETwork syscalls jamal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100102201303.GB27402@ioremap.net \
--to=zbr@ioremap$(echo .)net \
--cc=hadi@cyberus$(echo .)ca \
--cc=kaber@trash$(echo .)net \
--cc=linux-security-module@vger$(echo .)kernel.org \
--cc=netdev@vger$(echo .)kernel.org \
--cc=netfilter-devel@vger$(echo .)kernel.org \
--cc=nhorman@tuxdriver$(echo .)com \
--cc=sam@synack$(echo .)fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox