selinux: rate-limit netlink message warnings in selinux_nlmsg_perm() Any process is able to send netlink messages with invalid types. Make the warning rate-limited to prevent too much log spam. The warning is supposed to help to find misbehaving programs, so print the triggering command name and pid. Reported-by: Florian Weimer <fweimer@redhat.com> Signed-off-by: Vladis Dronov <vdronov@redhat.com> [PM: subject line tweak to make checkpatch.pl happy] Signed-off-by: Paul Moore <pmoore@redhat.com>

commit: 76319946f321e30872dd72af7de867cb26e7a373 [log] [tgz]
author: Vladis Dronov <vdronov@redhat.com> Thu Dec 24 11:09:41 2015 -0500
committer: Paul Moore <pmoore@redhat.com> Thu Dec 24 11:09:41 2015 -0500
tree: eb12a0f9f5e31bd7fd5133771371ea00033a0e94
parent: f9df6458218f4fe8a1c3bf0af89c1fa9eaf0db39 [diff] [blame]
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 34e3351..40e071a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

@@ -4858,11 +4858,12 @@
 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
 	if (err) {
 		if (err == -EINVAL) {
-			printk(KERN_WARNING
-			       "SELinux: unrecognized netlink message:"
-			       " protocol=%hu nlmsg_type=%hu sclass=%s\n",
+			pr_warn_ratelimited("SELinux: unrecognized netlink"
+			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
+			       " pig=%d comm=%s\n",
 			       sk->sk_protocol, nlh->nlmsg_type,
-			       secclass_map[sksec->sclass - 1].name);
+			       secclass_map[sksec->sclass - 1].name,
+			       task_pid_nr(current), current->comm);
 			if (!selinux_enforcing || security_get_allow_unknown())
 				err = 0;
 		}
commit	76319946f321e30872dd72af7de867cb26e7a373	[log] [tgz]
author	Vladis Dronov <vdronov@redhat.com>	Thu Dec 24 11:09:41 2015 -0500
committer	Paul Moore <pmoore@redhat.com>	Thu Dec 24 11:09:41 2015 -0500
tree	eb12a0f9f5e31bd7fd5133771371ea00033a0e94
parent	f9df6458218f4fe8a1c3bf0af89c1fa9eaf0db39 [diff] [blame]