On Tuesday 30 May 2006 13:42, Paul Moore wrote:
> I've uncovered some problems while running my poor-man's stress test on
> the x86_64 kernels but that shouldn't get in the way of normal usage.
> I'll post an update once I have resolved the issue.
OK. I've also experienced a problem where the network is unresponsive.
Haven't seen this before....
> > But looking at the patch...I have some questions. (Normally, I would put
> > comments inline with the patch, but this patch is too big for that.)
> >
> > 1) How is errors sent back to user space when a metlink command does not
> > work?
>
> All of the NetLabel commands sent over netlink are ACK'd to some extent;
They all need to do it in a consistent way. For example, in netlbl_mgmt_rcv
+ if (nl_hdr == NULL ||
+ msg == NULL ||
+ nlmsg_len(nl_hdr) < sizeof(struct netlbl_mgmt_msghdr))
+ return;
So this is clearly -EINVAL...user space needs to know that.
> either through an explicit ACK message, and error message, or a data
> message. Check out the header files in net/netlabel to get a better
> idea of the "protocol".
The above is just one example, there are more like this.
Looking at the first function in that one, netlbl_mgmt_add. At the bottom is
this:
+add_failure:
+ if (entry) {
+ if (entry->domain)
+ kfree(entry->domain);
+ kfree(entry);
+ }
+ netlbl_mgmt_send_ack(nl_hdr, NETLBL_MGMT_E_ERR);
How do you tell user space why the message failed? Would they care about EPERM
vs EINVAL vs ENOMEM? I would think its better to let user space see why it
failed and let the user decide what to do to fix it? (like su'ing to root and
reissue the command.)
Staying with netlbl_mgmt_add...its declared as a function that returns an int.
Nothing checks its return value.
> > 2) Are there any capabilities checks needed to issue commands to the
> > subsystem? Or can any user send commands?
>
> Comments/suggestions/examples/etc are always welcome.
>From net/netfilter/nfnetlink.c nfnetlink_rcv_msg()
if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
DEBUGP("missing CAP_NET_ADMIN\n");
*errp = -EPERM;
return -1;
}
> > 4) Do you need to use NLMSG_ALIGN macro when checking sizes of things?
>
> From my understanding of netlink the start of the data portion needs to
> be aligned but I think that is it ... however, I could very easily be
> wrong here - anyone?
Looking at net/netfilter/nfnetlink.c nfnetlink_rcv_msg(), I see stuff like:
if (nlh->nlmsg_len < NLMSG_SPACE(sizeof(struct nfgenmsg)))
NLMSG_SPACE uses the alignment macro.
> > 5) Should you be using NETLINK_CB(skb).pid instead of nl_hdr->nlmsg_pid?
>
> I don't know, should I?
This macro gets the data out of the control block which is filled in by
netlink_sendmsg. Using nl_hdr comes from the data section of the skb, which I
think is set by user space. I'd trust the data from the cb section.
> > Also, is there a user space tool that you are testing the netlink
> > interface with ?
>
> Yep, I've posted a link to this a few times but it may have gotten
> overlooked, here it is:
Thanks. Got it this time. Now if I can just scp it into the machine... :)
-Steve
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
