Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / cba85b532e4aabdb97f44c18987d45141fd93faa
commitcba85b532e4aabdb97f44c18987d45141fd93faa[log] [tgz]
authorPablo Neira Ayuso <pablo@netfilter.org>Thu Jan 06 11:25:00 2011 -0800
committerDavid S. Miller <davem@davemloft.net>Thu Jan 06 11:25:00 2011 -0800
tree785e2a715a922c36b15e1929473498e3b3aae724
parentf682cefa5ad204d3bfaa54a58046c66d2d035ac1 [diff]
netfilter: fix export secctx error handling

In 1ae4de0cdf855305765592647025bde55e85e451, the secctx was exported
via the /proc/net/netfilter/nf_conntrack and ctnetlink interfaces
instead of the secmark.

That patch introduced the use of security_secid_to_secctx() which may
return a non-zero value on error.

In one of my setups, I have NF_CONNTRACK_SECMARK enabled but no
security modules. Thus, security_secid_to_secctx() returns a negative
value that results in the breakage of the /proc and `conntrack -L'
outputs. To fix this, we skip the inclusion of secctx if the
aforementioned function fails.

This patch also fixes the dynamic netlink message size calculation
if security_secid_to_secctx() returns an error, since its logic is
also wrong.

This problem exists in Linux kernel >= 2.6.37.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
3 files changed
tree: 785e2a715a922c36b15e1929473498e3b3aae724
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS