Smack: unlabeled outgoing ambient packets
Smack uses CIPSO labeling, but allows for unlabeled packets by
specifying an "ambient" label that is applied to incoming unlabeled
packets.
Because the other end of the connection may dislike IP options, and ssh
is one know application that behaves thus, it is prudent to respond in
kind.
This patch changes the network labeling behavior such that an outgoing
packet that would be given a CIPSO label that matches the ambient label
is left unlabeled. An "unlbl" domain is added and the netlabel
defaulting mechanism invoked rather than assuming that everything is
CIPSO. Locking has been added around changes to the ambient label as
the mechanisms used to do so are more involved.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 2b5d6f7..25cbfa3 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1251,9 +1251,8 @@
switch (smack_net_nltype) {
case NETLBL_NLTYPE_CIPSOV4:
- nlsp->domain = NULL;
- nlsp->flags = NETLBL_SECATTR_DOMAIN;
- nlsp->flags |= NETLBL_SECATTR_MLS_LVL;
+ nlsp->domain = kstrdup(smack, GFP_ATOMIC);
+ nlsp->flags = NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
rc = smack_to_cipso(smack, &cipso);
if (rc == 0) {
@@ -1282,15 +1281,14 @@
{
struct socket_smack *ssp;
struct netlbl_lsm_secattr secattr;
- int rc = 0;
+ int rc;
ssp = sk->sk_security;
netlbl_secattr_init(&secattr);
smack_to_secattr(ssp->smk_out, &secattr);
- if (secattr.flags != NETLBL_SECATTR_NONE)
- rc = netlbl_sock_setattr(sk, &secattr);
-
+ rc = netlbl_sock_setattr(sk, &secattr);
netlbl_secattr_destroy(&secattr);
+
return rc;
}
@@ -1313,6 +1311,7 @@
struct inode_smack *nsp = inode->i_security;
struct socket_smack *ssp;
struct socket *sock;
+ int rc = 0;
if (value == NULL || size > SMK_LABELLEN)
return -EACCES;
@@ -1341,7 +1340,10 @@
ssp->smk_in = sp;
else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) {
ssp->smk_out = sp;
- return smack_netlabel(sock->sk);
+ rc = smack_netlabel(sock->sk);
+ if (rc != 0)
+ printk(KERN_WARNING "Smack: \"%s\" netlbl error %d.\n",
+ __func__, -rc);
} else
return -EOPNOTSUPP;
@@ -2214,6 +2216,9 @@
ssp->smk_packet[0] = '\0';
rc = smack_netlabel(sk);
+ if (rc != 0)
+ printk(KERN_WARNING "Smack: \"%s\" netlbl error %d.\n",
+ __func__, -rc);
}
/**
@@ -2346,6 +2351,20 @@
}
/*
+ * smack_secctx_to_secid - return the secid for a smack label
+ * @secdata: smack label
+ * @seclen: how long result is
+ * @secid: outgoing integer
+ *
+ * Exists for audit and networking code.
+ */
+static int smack_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
+{
+ *secid = smack_to_secid(secdata);
+ return 0;
+}
+
+/*
* smack_release_secctx - don't do anything.
* @key_ref: unused
* @context: unused
@@ -2475,6 +2494,7 @@
.key_permission = smack_key_permission,
#endif /* CONFIG_KEYS */
.secid_to_secctx = smack_secid_to_secctx,
+ .secctx_to_secid = smack_secctx_to_secid,
.release_secctx = smack_release_secctx,
};