> Now that CONFIG_FILTER was nuked, the __sk_filter helper can be collapsed
> back into sk_filter. This eliminates bypassing the security hook by
> using the wrong part of the api.
Good thinking, thanks.
- James
-- James Morris <jmorris@intercode.com.au>
Chris' patch below.
===== include/net/sock.h 1.34 vs edited ===== --- 1.34/include/net/sock.h Sun Mar 30 01:45:41 2003 +++ edited/include/net/sock.h Sun Apr 13 22:45:21 2003 @@ -453,7 +453,7 @@ extern void sock_init_data(struct socket *sock, struct sock *sk); /** - * __sk_filter - run a packet through a socket filter + * sk_filter - run a packet through a socket filter * @sk: sock associated with &sk_buff * @skb: buffer to filter * @needlock: set to 1 if the sock is not locked by caller. @@ -464,14 +464,16 @@ * wrapper to sk_run_filter. It returns 0 if the packet should * be accepted or -EPERM if the packet should be tossed. * - * This function should not be called directly, use sk_filter instead - * to ensure that the LSM security check is also performed. */ -static inline int __sk_filter(struct sock *sk, struct sk_buff *skb, int needlock) +static inline int sk_filter(struct sock *sk, struct sk_buff *skb, int needlock) { - int err = 0; - + int err; + + err = security_sock_rcv_skb(sk, skb); + if (err) + return err; + if (sk->filter) { struct sk_filter *filter; @@ -516,17 +518,6 @@ { atomic_inc(&fp->refcnt); atomic_add(sk_filter_len(fp), &sk->omem_alloc); -} - -static inline int sk_filter(struct sock *sk, struct sk_buff *skb, int needlock) -{ - int err; - - err = security_sock_rcv_skb(sk, skb); - if (err) - return err; - - return __sk_filter(sk, skb, needlock); } /*
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/