From: Sooyoung Ha Date: Mon, 20 Jun 2016 02:52:52 +0000 (+0900) Subject: Revert "netfilter: nfnetlink_queue: add security context information" X-Git-Tag: TizenStudio_2.0_p2.3.2~7^2~3 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e506b9244224f354ea75ff437fb745eabcea3390;p=sdk%2Femulator%2Femulator-kernel.git Revert "netfilter: nfnetlink_queue: add security context information" This reverts commit 62d564c48b2fa0d0598298db97b3e895f0d5343e. Change-Id: I7c50b00ae41b0dc49c7da148e99af27932c6e29d Signed-off-by: Sooyoung Ha --- diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h index b67a853638ff..8dd819e2b5fe 100644 --- a/include/uapi/linux/netfilter/nfnetlink_queue.h +++ b/include/uapi/linux/netfilter/nfnetlink_queue.h @@ -49,7 +49,6 @@ enum nfqnl_attr_type { NFQA_EXP, /* nf_conntrack_netlink.h */ NFQA_UID, /* __u32 sk uid */ NFQA_GID, /* __u32 sk gid */ - NFQA_SECCTX, /* security context string */ __NFQA_MAX }; @@ -103,8 +102,7 @@ enum nfqnl_attr_config { #define NFQA_CFG_F_CONNTRACK (1 << 1) #define NFQA_CFG_F_GSO (1 << 2) #define NFQA_CFG_F_UID_GID (1 << 3) -#define NFQA_CFG_F_SECCTX (1 << 4) -#define NFQA_CFG_F_MAX (1 << 5) +#define NFQA_CFG_F_MAX (1 << 4) /* flags for NFQA_SKB_INFO */ /* packet appears to have wrong checksums, but they are ok */ diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c index abcf93062e5c..108120f216b1 100644 --- a/net/netfilter/nfnetlink_queue_core.c +++ b/net/netfilter/nfnetlink_queue_core.c @@ -278,23 +278,6 @@ nla_put_failure: return -1; } -static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) -{ - u32 seclen = 0; -#if IS_ENABLED(CONFIG_NETWORK_SECMARK) - if (skb->sk->sk_state == TCP_TIME_WAIT) - return 0; - - read_lock_bh(&skb->sk->sk_callback_lock); - - if (skb->secmark) - security_secid_to_secctx(skb->secmark, secdata, &seclen); - - read_unlock_bh(&skb->sk->sk_callback_lock); -#endif - return seclen; -} - static struct sk_buff * nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, struct nf_queue_entry *entry, @@ -313,9 +296,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, struct net_device *outdev; struct nf_conn *ct = NULL; enum ip_conntrack_info uninitialized_var(ctinfo); - bool csum_verify; - char *secdata = NULL; - u32 seclen = 0; + bool csum_verify; size = nlmsg_total_size(sizeof(struct nfgenmsg)) + nla_total_size(sizeof(struct nfqnl_msg_packet_hdr)) @@ -371,13 +352,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, + nla_total_size(sizeof(u_int32_t))); /* gid */ } - if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) { - seclen = nfqnl_get_sk_secctx(entskb, &secdata); - if (seclen) - size += nla_total_size(seclen); - } - - skb = nfnetlink_alloc_skb(&init_net, size, queue->peer_portid, + skb = nfnetlink_alloc_skb(net, size, queue->peer_portid, GFP_ATOMIC); if (!skb) { skb_tx_error(entskb); @@ -496,9 +471,6 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, nfqnl_put_sk_uidgid(skb, entskb->sk) < 0) goto nla_put_failure; - if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata)) - goto nla_put_failure; - if (ct && nfqnl_ct_put(skb, ct, ctinfo) < 0) goto nla_put_failure; @@ -1161,12 +1133,7 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ret = -EOPNOTSUPP; goto err_out_unlock; } -#if !IS_ENABLED(CONFIG_NETWORK_SECMARK) - if (flags & mask & NFQA_CFG_F_SECCTX) { - ret = -EOPNOTSUPP; - goto err_out_unlock; - } -#endif + spin_lock_bh(&queue->lock); queue->flags &= ~mask; queue->flags |= flags & mask;