1. 20 Mar, 2008 5 commits
    • Pavel Emelyanov's avatar
      audit: netlink socket can be auto-bound to pid other than current->pid (v2) · 75c0371a
      Pavel Emelyanov authored
      From:	Pavel Emelyanov <xemul@openvz.org>
      
      This patch is based on the one from Thomas.
      
      The kauditd_thread() calls the netlink_unicast() and passes 
      the audit_pid to it. The audit_pid, in turn, is received from 
      the user space and the tool (I've checked the audit v1.6.9) 
      uses getpid() to pass one in the kernel. Besides, this tool 
      doesn't bind the netlink socket to this id, but simply creates 
      it allowing the kernel to auto-bind one.
      
      That's the preamble.
      
      The problem is that netlink_autobind() _does_not_ guarantees
      that the socket will be auto-bound to the current pid. Instead
      it uses the current pid as a hint to start looking for a free
      id. So, in case of conflict, the audit messages can be sent
      to a wrong socket. This can happen (it's unlikely, but can be)
      in case some task opens more than one netlink sockets and then
      the audit one starts - in this case the audit's pid can be busy
      and its socket will be bound to another id.
      
      The proposal is to introduce an audit_nlk_pid in audit subsys,
      that will point to the netlink socket to send packets to. It
      will most often be equal to audit_pid. The socket id can be 
      got from the skb's netlink CB right in the audit_receive_msg.
      The audit_nlk_pid reset to 0 is not required, since all the
      decisions are taken based on audit_pid value only.
      
      Later, if the audit tools will bind the socket themselves, the
      kernel will have to provide a way to setup the audit_nlk_pid
      as well.
      
      A good side effect of this patch is that audit_pid can later 
      be converted to struct pid, as it is not longer safe to use 
      pid_t-s in the presence of pid namespaces. But audit code still 
      uses the tgid from task_struct in the audit_signal_info and in
      the audit_filter_syscall.
      Signed-off-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarPavel Emelyanov <xemul@openvz.org>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      75c0371a
    • Andre Noll's avatar
      [NET]: Fix permissions of /proc/net · 4f42c288
      Andre Noll authored
      commit e9720acd ([NET]: Make /proc/net a symlink on /proc/self/net (v3))
      broke ganglia and probably other applications that read /proc/net/dev.
      
      This is due to the change of permissions of /proc/net that was
      introduced in that commit.
      
      Before: dr-xr-xr-x 5 root root 0 Mar 19 11:30 /proc/net
      After: dr-xr--r-- 5 root root 0 Mar 19 11:29 /proc/self/net
      
      This patch restores the permissions to the old value which makes
      ganglia happy again.
      
      Pavel Emelyanov says:
      
      	This also broke the postfix, as it was reported in bug #10286
      	and described in detail by Benjamin.
      Signed-off-by: default avatarAndre Noll <maan@systemlinux.org>
      Acked-by: default avatarPavel Emelyanov <xemul@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f42c288
    • Vlad Yasevich's avatar
      [SCTP]: Fix a race between module load and protosw access · 270637ab
      Vlad Yasevich authored
      There is a race is SCTP between the loading of the module
      and the access by the socket layer to the protocol functions.
      In particular, a list of addresss that SCTP maintains is
      not initialized prior to the registration with the protosw.
      Thus it is possible for a user application to gain access
      to SCTP functions before everything has been initialized.
      The problem shows up as odd crashes during connection
      initializtion when we try to access the SCTP address list.
      
      The solution is to refactor how we do registration and
      initialize the lists prior to registering with the protosw.
      Care must be taken since the address list initialization
      depends on some other pieces of SCTP initialization.  Also
      the clean-up in case of failure now also needs to be refactored.
      Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Acked-by: default avatarSridhar Samudrala <sri@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      270637ab
    • Daniel Hokka Zakrisson's avatar
      [NETFILTER]: ipt_recent: sanity check hit count · d0ebf133
      Daniel Hokka Zakrisson authored
      If a rule using ipt_recent is created with a hit count greater than
      ip_pkt_list_tot, the rule will never match as it cannot keep track
      of enough timestamps. This patch makes ipt_recent refuse to create such
      rules.
      
      With ip_pkt_list_tot's default value of 20, the following can be used
      to reproduce the problem.
      
      nc -u -l 0.0.0.0 1234 &
      for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done
      
      This limits it to 20 packets:
      iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
               --rsource
      iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
               60 --hitcount 20 --name test --rsource -j DROP
      
      While this is unlimited:
      iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
               --rsource
      iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
               60 --hitcount 21 --name test --rsource -j DROP
      
      With the patch the second rule-set will throw an EINVAL.
      Reported-by: default avatarSean Kennedy <skennedy@vcn.com>
      Signed-off-by: default avatarDaniel Hokka Zakrisson <daniel@hozac.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d0ebf133
    • Roel Kluin's avatar
      [NETFILTER]: nf_conntrack_h323: logical-bitwise & confusion in process_setup() · 6aebb9b2
      Roel Kluin authored
      logical-bitwise & confusion
      Signed-off-by: default avatarRoel Kluin <12o3l@tiscali.nl>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6aebb9b2
  2. 18 Mar, 2008 2 commits
  3. 17 Mar, 2008 33 commits