On Wednesday, November 12, 2014 02:01:34 PM Richard Guy Briggs wrote:
> Convert WARN_ONCE() to printk_once() in selinux_nlmsg_perm().
>
> After conversion from audit_log() in commit e173fb26, WARN_ONCE() was deemed
> too alarmist, so switch it to printk_once(). If this gets buried in the
> noise, it may be converted to a rate-limited call in the future.
>
> Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
> ---
> security/selinux/hooks.c | 6 +++---
> 1 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index e663141..17d0066 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4725,9 +4725,9 @@ static int selinux_nlmsg_perm(struct sock *sk, struct
> sk_buff *skb) err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type,
> &perm); if (err) {
> if (err == -EINVAL) {
> - WARN_ONCE(1, "selinux_nlmsg_perm: unrecognized netlink
message:"
> - " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
> - sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
> + printk_once("selinux_nlmsg_perm: unrecognized netlink message:"
> + " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
> + sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
> if (!selinux_enforcing || security_get_allow_unknown())
> err = 0;
> }
My apologies, I should have noticed this sooner, but printk_once() is probably
not a good choice here as only the first invalid netlink message will be
displayed. This is fine if all the invalid netlink messages happen the same,
but that isn't likely to be the case.
Richard, any objections if I convert the printk_once() to a printk(WARN) and
update the patch description accordingly?
--
paul moore
security and virtualization @ redhat
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
