Steve Grubb wrote: > On Friday 26 May 2006 17:33, Paul Moore wrote: >>For the curious this is the change between the lspp.29 patch and the one >>attached to this mail, from the include/net/netlabel.h file: > > Thanks for the patch update. lspp.31 is building, but I can confirm its > working. >
Thanks for adding it to lspp.31, sorry about the x86_64 problems with the earlier patch. I've uncovered some problems while running my poor-man's stress test on the x86_64 kernels but that shouldn't get in the way of normal usage. I'll post an update once I have resolved the issue. > But looking at the patch...I have some questions. (Normally, I would put > comments inline with the patch, but this patch is too big for that.) > > 1) How is errors sent back to user space when a metlink command does not work? All of the NetLabel commands sent over netlink are ACK'd to some extent; either through an explicit ACK message, and error message, or a data message. Check out the header files in net/netlabel to get a better idea of the "protocol". > 2) Are there any capabilities checks needed to issue commands to the > subsystem? Or can any user send commands? Not yet, although there will need to be for obvious reasons. Comments/suggestions/examples/etc are always welcome. > 3) How carefully is the data from user space being checked before using it? > Usually it needs to be carefully checked and then used. I think I'm doing a pretty through job of checking the commands from user-space before acting on them, however, I haven't yet done any exotic corner case testing so I'm sure there is a field or two waiting to panic my test system ;) Is this comment/question based on something you saw in the patch or just a general concern about kernel-user interaction? If there is something specific please let me know. > 4) Do you need to use NLMSG_ALIGN macro when checking sizes of things? >From my understanding of netlink the start of the data portion needs to be aligned but I think that is it ... however, I could very easily be wrong here - anyone? > 5) Should you be using NETLINK_CB(skb).pid instead of nl_hdr->nlmsg_pid? I don't know, should I? I haven't found much *good* documentation on netlink so what I have in the patch is cobbled together from some old Linux Journal article as well as a few other pieces of existing kernel code. As a result I'm sure there are a few dumb things, I just don't know what they are, yet. If you, or anyone else reading this, knows for certain please shoot me some mail. > Also, is there a user space tool that you are testing the netlink interface > with ? Yep, I've posted a link to this a few times but it may have gotten overlooked, here it is: http://free.linux.hp.com/~pmoore/projects/linux_cipso/netlabel_tools-05032006.tar.gz It's still a little crude but it works. -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
