Harden fail-closed handling, fix mutex leaks, and add mutation-verified tests#84
Harden fail-closed handling, fix mutex leaks, and add mutation-verified tests#84JeremiahM37 wants to merge 4 commits into
Conversation
JeremiahM37
force-pushed
the
fenrir-fail-closed-hardening
branch
from
de383b6 to
451b106
Compare
douzzer
left a comment
douzzer
left a comment
There was a problem hiding this comment.
There's a couple false positives in the mix here -- the mitigations for them need to be reverted:
F-2836 "route_flags_to_add_on_insert accepts GREENLISTED flag, enabling auto-accept of all inserted routes"
F-2840 "route_flags_to_clear_on_insert accepts PENALTYBOXED flag without validation, bypassing penalty boxing for inserted routes"
I've closed the Fenrir issues as WontFix.
|
Also it would be good to have dispatch errors in the glue layer invoke the default policy, though that would be tricky. E.g. clearly there's no way to discover the default policy if the wolfsentry context is null -- ABRT seems reasonable there. But when there's a context to check, we should use its default. |
JeremiahM37
force-pushed
the
fenrir-fail-closed-hardening
branch
from
451b106 to
be38b34
Compare
|
Reverted the changes for F-2836 and F-2840. Glue dispatch failures now consult the context's configured default policy via wolfsentry_route_default_policy_get (under a shared lock), rejecting only if that policy rejects. If the policy can't be determined _ NULL context, lock failure, or getter failure _ it fails closed (ABRT / -WOLFIP_EACCES), matching the null-context case you flagged; the pre-existing null-context guards still ABRT before dispatch |
2 participants
Fixes F-2060, F-2061, F-2438, F-2445, F-2446, F-2456, F-2458, F-2459, F-2460, F-2461, F-2464, F-2465, F-2837, F-2838, F-3866, F-3867, F-3869, F-3873