From patchwork Thu Sep 27 17:58:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 975842 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=brauner.io Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=brauner.io header.i=@brauner.io header.b="XOMZme7/"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42LjJG225tz9s3Z for ; Fri, 28 Sep 2018 03:59:58 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728698AbeI1ATV (ORCPT ); Thu, 27 Sep 2018 20:19:21 -0400 Received: from mail-ed1-f68.google.com ([209.85.208.68]:42911 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728370AbeI1ATI (ORCPT ); Thu, 27 Sep 2018 20:19:08 -0400 Received: by mail-ed1-f68.google.com with SMTP id b20-v6so5848868edr.9 for ; Thu, 27 Sep 2018 10:59:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brauner.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=//4teGx2aqB1iUXfxLOI165v5hE2Bibr4eSEPlWj71c=; b=XOMZme7/dlhYD9c/JGgN8lf+xDfuBQg4hBTpysq0HK9md5iUCSwkbdg/GapnQXjuVp 3xouYNlX7OclL0IW2gj9EUYWaMQp27c/9+5QrsyRGLxdPm1j75X2WWWGlHSToWdRAZAf Cjr26NjtTerlXq/Dabkxxj4YfyWsY2Q/BXpKrgDu28zscavCfBmfXJsdLYeQk0yma2I9 p7ujkZHLUucmOmK6DDsrKTWPOmFQrt4ebS/SxT333kUk9f4t4uSW83vi18+O24X0WlUY PQX6eUkqrklF2nyoAE7XrboSUaw3vWP8yLD1mYHMExzV2vSGz+7uC8q5RTs/DVjt2xGE 8jig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=//4teGx2aqB1iUXfxLOI165v5hE2Bibr4eSEPlWj71c=; b=OgYTBa5nJ8ONp4NrfkFwyMmfKnVpY5WLY48Z5fLwN41PYCz3pCcRfMRON13yEkAx63 xNkISzRe+izQhfqMa51jdBAFb/rV+6aum3iOlEDYlCH1niOXHcD4NAIdKNdzeuzwWQFa x89g07P6p/7qhwIiQah4t2IX++jL2el/mb7xzY7hQOL2JRakaHEnd3bHcbuZ37h6jJnS W10MfdOR7bVxO01XNZYv02z4cqbuwBK1Nk+KlNprCjpZsvY1z6YMZ+nyrVFk9dhMUtZe 7El9yqlyvNpeCCTRAFSRRseD+E0zIZqJ942Pxm6/ZEUapBjKq14g/YVLe6eug3VxYHGK ZXbQ== X-Gm-Message-State: ABuFfoh3G2KGgJfrPGf1wgrhV8hwbmjT2KaYioW6KM7ej1BqGlj0lWfX /p/feA89mexSzc5WXpVjVgg+fg== X-Google-Smtp-Source: ACcGV62CBa6SJDpxAssNKPxLwsEU/SaMug/DJvUnAkKu/ojW5sDCWnmkyB/6psBY2qSEKYy76F++DQ== X-Received: by 2002:a50:c2c9:: with SMTP id u9-v6mr9852227edf.15.1538071180843; Thu, 27 Sep 2018 10:59:40 -0700 (PDT) Received: from localhost.localdomain (fa-padur-binz.ediscom.de. [212.204.40.18]) by smtp.gmail.com with ESMTPSA id a9-v6sm1532606edi.26.2018.09.27.10.59.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Sep 2018 10:59:39 -0700 (PDT) From: Christian Brauner To: jbenc@redhat.com, davem@davemloft.net, dsahern@gmail.com, stephen@networkplumber.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Christian Brauner Subject: [PATCH net-next 6/7] selinux: add RTM_GETADDR2 Date: Thu, 27 Sep 2018 19:58:56 +0200 Message-Id: <20180927175857.3511-7-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180927175857.3511-1-christian@brauner.io> References: <20180927175857.3511-1-christian@brauner.io> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Various userspace programs (e.g. iproute2) have sent RTM_GETADDR requests with struct ifinfomsg. This is wrong and should have been struct ifaddrmsg all along as mandated by the manpages. However, dump requests so far didn't parse the netlink message that was sent and succeeded even when a wrong struct was passed along. Currently, the message is parsed under the assumption that the correct struct ifaddrmsg is sent down. If the parsing fails the kernel will still fulfill the request to preserve backwards compatability but a rate-limited message that there were leftover bytes after parsing the message is recorded in dmesg. It has been argued that this is unacceptable [1]. But various new features that got and will get added to RTM_GETADDR make it necessary to definitely know what header was passed along. This is currently not possible without resorting to (likely unreliable) hacks such as introducing a nested attribute that ensures that RTM_GETADDR which pass along properties such as IFA_TARGET_NETNSID always exceed RTM_GETADDR requests that send down the wrong struct ifinfomsg [2]. Basically, multiple approaches to solve this have been shut down. Furthermore, the API expressed via RTM_GETADDR is apparently frozen [3] so the wiggle room at this point seems very much zero. The correct solution at this point seems to me to introduce a new RTM_GETADDR2 request. This way we can parse the message and fail hard if the struct is not struct ifaddrmsg and can safely extend it in the future. Userspace tools that rely on the buggy RTM_GETADDR API will still keep working without even having to see any log messages and new userspace tools that want to make user of new features can make use of the new RTM_GETADDR2 requests. [1]: https://lists.openwall.net/netdev/2018/09/25/59 [2]: https://lists.openwall.net/netdev/2018/09/25/75 [3]: https://lists.openwall.net/netdev/2018/09/26/166 Signed-off-by: Christian Brauner Cc: David Ahern Cc: Jiri Benc Cc: Stephen Hemminger --- security/selinux/nlmsgtab.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index 74b951f55608..3c45f50e987d 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c @@ -80,6 +80,7 @@ static const struct nlmsg_perm nlmsg_route_perms[] = { RTM_NEWSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_NEWCACHEREPORT, NETLINK_ROUTE_SOCKET__NLMSG_READ }, + { RTM_GETADDR2, NETLINK_ROUTE_SOCKET__NLMSG_READ }, }; static const struct nlmsg_perm nlmsg_tcpdiag_perms[] = @@ -159,7 +160,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) switch (sclass) { case SECCLASS_NETLINK_ROUTE_SOCKET: /* RTM_MAX always point to RTM_SETxxxx, ie RTM_NEWxxx + 3 */ - BUILD_BUG_ON(RTM_MAX != (RTM_NEWCHAIN + 3)); + BUILD_BUG_ON(RTM_MAX != (RTM_GETADDR2 + 1)); err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms, sizeof(nlmsg_route_perms)); break;