Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity

From: Ingo Molnar
Date: Thu Oct 07 2004 - 15:19:28 EST

Next message: K.R. Foley: "Re: 2.6.9-rc3-mm3 fails to detect aic7xxx"
Previous message: Jes Sorensen: "Re: [PATCH] 2.6 SGI Altix I/O code reorganization"
In reply to: Stephen Smalley: "Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 7 Oct 2004 Valdis.Kletnieks@xxxxxx wrote:

> audit(1097111349.782:0): avc: denied { recv_msg } for pid=2 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=59639 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket
>
> At least for the recv_msg error, I *think* the message is generated
> because when we get into net/socket.c, we call security_socket_recvmsg()
> in __recv_msg() - and (possibly only when we have the VP patch applied?)
> at that point we're in a softirqd context rather than the context of the
> process that will finally receive the packet, so the SELinux code ends
> up checking the wrong credentials. I've not waded through the code
> enough to figure out exactly where the two tcp_recv messages are
> generated, but I suspect the root cause is the same for all three
> messages.

that would be a problem in the upstream kernel too - softirq load can
execute in any process context (and in ksoftirqd too).

Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: K.R. Foley: "Re: 2.6.9-rc3-mm3 fails to detect aic7xxx"
Previous message: Jes Sorensen: "Re: [PATCH] 2.6 SGI Altix I/O code reorganization"
In reply to: Stephen Smalley: "Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]