• Pablo Neira Ayuso's avatar
    netfilter: fix export secctx error handling · cba85b53
    Pablo Neira Ayuso authored
    In 1ae4de0c
    
    , the secctx was exported
    via the /proc/net/netfilter/nf_conntrack and ctnetlink interfaces
    instead of the secmark.
    
    That patch introduced the use of security_secid_to_secctx() which may
    return a non-zero value on error.
    
    In one of my setups, I have NF_CONNTRACK_SECMARK enabled but no
    security modules. Thus, security_secid_to_secctx() returns a negative
    value that results in the breakage of the /proc and `conntrack -L'
    outputs. To fix this, we skip the inclusion of secctx if the
    aforementioned function fails.
    
    This patch also fixes the dynamic netlink message size calculation
    if security_secid_to_secctx() returns an error, since its logic is
    also wrong.
    
    This problem exists in Linux kernel >= 2.6.37.
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    cba85b53
nf_conntrack_netlink.c 51.7 KB