From a7d8601253f17943c994dff9be79f00d6d281ff5 Mon Sep 17 00:00:00 2001 From: Andrew Deason Date: Tue, 17 Dec 2013 17:30:26 -0600 Subject: [PATCH] LINUX: Use sock_create_kern where available Currently, we use sock_create to create our Rx socket. This means that accesses to that socket (sendmsg, recvmsg) are subject to SELinux restrictions. For all recvmsg accesses and some sendmsg accesses, this doesn't matter, since the access will be performed by one of our kernel threads (running as kernel_t or something similar, which is unrestricted). Such as: the rx listener, a background daemon, the rx event thread, etc. However, sometimes we do run in the context of a normal user process. For some RPCs like FetchStatus, we tend to run the RPC in the accessing user thread, which can result in us sendmsg()ing the data packets with the initial arguments in the user thread. We can also send delayed ACKs via rx_EndCall, and possibly a variety of other scenarios. In any of these situations when we are sendmsg()ing from a user thread, SELinux can prevent us from sending to the socket, if the calling user thread context is not able to write to an afs_t udp_socket. This will result in packets not being sent immediately, but the packets will be resent later, so access will work, but appear very slow. This can easily happen for processes that are specifically constrained by SELinux; for example, webservers are often constrained, even if most of the rest of the system is not. This can be noticed by seeing the 'resends' and 'sendFailed' counters rising in 'rxdebug -rxstat', as well as noticing SELinux access failures if 'dontaudit' rules are ignored. To avoid this, use sock_create_kern to create the Rx socket, to indicate that this is a socket for use by kernel code, and not accessible by a user. This should cause us to bypass any LSM restrictions (SELinux, AppArmor, etc). Add a configure check for this, since this function has not always existed, according to Reviewed-on: http://gerrit.openafs.org/10594 Tested-by: BuildBot Reviewed-by: Marc Dionne Reviewed-by: Michael Meffie Reviewed-by: Derrick Brashear (cherry picked from commit e988aa45d765c935fef4bcd35585d6a3594cc497) Change-Id: Ie04a8ac166dabf9fb8368d47d5624d1f319174bd Reviewed-on: http://gerrit.openafs.org/10598 Reviewed-by: Andrew Deason Reviewed-by: Marc Dionne Reviewed-by: D Brashear Reviewed-by: Stephan Wiesand Reviewed-by: Michael Meffie Tested-by: BuildBot --- acinclude.m4 | 3 +++ src/rx/LINUX/rx_knet.c | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/acinclude.m4 b/acinclude.m4 index d815f69e2..012d5a448 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -942,6 +942,9 @@ case $AFS_SYSNAME in *_linux* | *_umlinux*) AC_CHECK_LINUX_FUNC([set_nlink], [#include ], [set_nlink(NULL, 1);]) + AC_CHECK_LINUX_FUNC([sock_create_kern], + [#include ], + [sock_create_kern(0, 0, 0, NULL);]) AC_CHECK_LINUX_FUNC([splice_direct_to_actor], [#include ], [splice_direct_to_actor(NULL,NULL,NULL);]) diff --git a/src/rx/LINUX/rx_knet.c b/src/rx/LINUX/rx_knet.c index fbef6a589..cb7034eea 100644 --- a/src/rx/LINUX/rx_knet.c +++ b/src/rx/LINUX/rx_knet.c @@ -42,7 +42,9 @@ rxk_NewSocketHost(afs_uint32 ahost, short aport) int pmtu = IP_PMTUDISC_DONT; #endif -#ifdef LINUX_KERNEL_SOCK_CREATE_V +#ifdef HAVE_LINUX_SOCK_CREATE_KERN + code = sock_create_kern(AF_INET, SOCK_DGRAM, IPPROTO_UDP, &sockp); +#elif defined(LINUX_KERNEL_SOCK_CREATE_V) code = sock_create(AF_INET, SOCK_DGRAM, IPPROTO_UDP, &sockp, 0); #else code = sock_create(AF_INET, SOCK_DGRAM, IPPROTO_UDP, &sockp); -- 2.39.5