LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Jiang Wang <jiang.wang@bytedance.com>,
	Andrii Nakryiko <andrii@kernel.org>,
	Jakub Sitnicki <jakub@cloudflare.com>,
	John Fastabend <john.fastabend@gmail.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Linux Security Module list 
	<linux-security-module@vger.kernel.org>,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: Regression in unix stream sockets with the Smack LSM
Date: Tue, 14 Sep 2021 15:14:44 -0700	[thread overview]
Message-ID: <a5dc3f59-edc2-825a-31f6-7914c97a14d8@schaufler-ca.com> (raw)
In-Reply-To: <CAHC9VhR9SKX_-SAmtcCj+vuUvcdq-SWzKs86BKMjBcC8GhJ1gg@mail.gmail.com>

On 9/13/2021 4:47 PM, Paul Moore wrote:
> On Mon, Sep 13, 2021 at 6:53 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> Commit 77462de14a43f4d98dbd8de0f5743a4e02450b1d
>>
>>         af_unix: Add read_sock for stream socket types
>>
>> introduced a regression in UDS socket connections for the Smack LSM.
>> I have not tracked done the details of why the change broke the code,
>> but this is where bisecting the kernel indicates the problem lies, and
>> I have verified that reverting this change repairs the problem.
>>
>> You can verify the problem with the Smack test suite:
>>
>>         https://github.com/smack-team/smack-testsuite.git
>>
>> The failing test is tests/uds-access.sh.
>>
>> I have not looked to see if there's a similar problem with SELinux.
>> There may be, but if there isn't it doesn't matter, there's still a
>> bug.
> FWIW, the selinux-testsuite tests ran clean today with v5.15-rc1 (it
> looks like this code is only in v5.15) but as Casey said, a regression
> is a regression.
>
> Casey, what actually fails on the Smack system with this commit?

I reran the bisection and got a different answer, but the same set of
suspects. The change:

commit 94531cfcbe79c3598acf96806627b2137ca32eb9

    af_unix: Add unix_stream_proto for sockmap

came up this time. The two suspect patches are related.

The Smack access check on UDS stream sockets is behaving erratically,
as if it's using random data to make its checks. I can run the same
test on the same system with the same kernel and get different results.
The trivial test, where the Smack labels are the same, sometimes fails.
But not always.



  parent reply	other threads:[~2021-09-14 22:14 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <a507efa7-066b-decf-8605-89cdb0ac1951.ref@schaufler-ca.com>
2021-09-13 22:50 ` Casey Schaufler
2021-09-13 23:47   ` Paul Moore
2021-09-14  0:16     ` Casey Schaufler
2021-09-14 22:14     ` Casey Schaufler [this message]
2021-09-15 16:51     ` Casey Schaufler
2021-09-15 17:29       ` Jiang Wang .
2021-09-20 22:35       ` Jiang Wang .
2021-09-20 23:44         ` Casey Schaufler
2021-09-29 15:43           ` Casey Schaufler
2021-09-29 18:36             ` [External] " Jiang Wang .
2021-09-29 20:12               ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a5dc3f59-edc2-825a-31f6-7914c97a14d8@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=andrii@kernel.org \
    --cc=jakub@cloudflare.com \
    --cc=jiang.wang@bytedance.com \
    --cc=john.fastabend@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --subject='Re: Regression in unix stream sockets with the Smack LSM' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).