From patchwork Thu Jul 21 23:32:12 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 9242665 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 4C3F5602F0 for ; Thu, 21 Jul 2016 23:32:20 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3F2BF1FF0B for ; Thu, 21 Jul 2016 23:32:20 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 33C2C20410; Thu, 21 Jul 2016 23:32:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 52AA21FF0B for ; Thu, 21 Jul 2016 23:32:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752411AbcGUXcQ (ORCPT ); Thu, 21 Jul 2016 19:32:16 -0400 Received: from nm33-vm5.bullet.mail.bf1.yahoo.com ([72.30.239.205]:47123 "EHLO nm33-vm5.bullet.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752269AbcGUXcO (ORCPT ); Thu, 21 Jul 2016 19:32:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1469143932; bh=hVNqZnxmwefXxaZeUr9HNgdJq+Lv9lwKMskxIQn5kjo=; h=To:Cc:From:Subject:Date:From:Subject; b=bflxZUuS1os7w/WVbcq4O1vcdJywOC/MbG0Gy9eKAiE/S7lhBgwvmwi+F7CYkZrOQ4uSjWxtXNS1lbCNukW52fqHHtZPEUBBD75ETGd81V4hGzdDiGd9G1KhbCKWUI12sccqRaKFj/wvfvwTamNuKZp+2SQBV8G1/Qm9HwsUzDA7nGXt9kJtaxnMiIatCCqRQOTuzr6yHAF3ZDaITjZeHu4nzVfhIJP4xRz8vn5pKdmRrAWHfRSQTgLScbSULqeypLAuRzHOwic97jFHbInIsZDcTMxVxtFIHR+g6juURExCNoRV08HKdkvnD5yp4GhxhsyRi2Ln2NEEO9TByonCrw== Received: from [66.196.81.174] by nm33.bullet.mail.bf1.yahoo.com with NNFMP; 21 Jul 2016 23:32:12 -0000 Received: from [68.142.230.73] by tm20.bullet.mail.bf1.yahoo.com with NNFMP; 21 Jul 2016 23:32:12 -0000 Received: from [127.0.0.1] by smtp230.mail.bf1.yahoo.com with NNFMP; 21 Jul 2016 23:32:12 -0000 X-Yahoo-Newman-Id: 702757.49454.bm@smtp230.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: Klrr4t4VM1k.5TsUGrCswd1WCG8Zjrb8tNXcI34Bx7iPSTC .Oxi._Zij3gca8NcYHQb1YdcKS4dOp0g6qOkuly6GQ6.XwCyO4AVKV11twJ4 XVnilIHB_8Wmr.IRGLSFyN9AE0I7kj7Ica8octyhXFMgF.4pg2QSMHDdI8.k Rp_AfZnWw98ZEe6KmOjHf9i8PbSVu8G7SRtL.Nw6H4HZ.Zv6Leb6.BkG2c7Y UYtlZXfE.B2qOZ1.nFAEy8kucoBaLdOognU2a.2WU_J8jDK7dHxQnlvoAmTg k.HFQUXx_v.DX3HFT6CRGKwFjua5L3nvjLWtGNOh4ZO9jCD1t3TefScxBy_5 sLvWFBHnYZH0a8zHyfkqWDKyNPIpgjCa12msy10oGhnFQRgAcqmRt7FxROCE yyvcd75XfbiwdogpoZ3WV9v855_sWbyBHNShQZbY4OL.9_1jeIqCwnM5FAa. zol6mkS.DWAzIHrIjumPFNHFNyWjoJirzuDUHnHMTq.ZyURwIsZZnro.17lO tEsd3GhZCPHTEAVxucHZuh7jIXFi2EtLhiBjdRz6f9vjClo6LmoalLXtIP0k lvAtnduFs2jO8 X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- To: LSM Cc: Paul Moore , James Morris , Casey Schaufler From: Casey Schaufler Subject: [PATCH] Smack: Correct use of netlbl_skbuff_err Message-ID: Date: Thu, 21 Jul 2016 16:32:12 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Subject: [PATCH] Smack: Correct use of netlbl_skbuff_err Smack uses CIPSO to transmit the Smack label of the sending process in most cases. A single label is designated as the "ambient" label, and packets sent from this label go without CIPSO headers. Until recently, netlbl_skbuff_err() seemed happy to be used in either case, but mid 4-7 something changed. This is the real fix, making Smack appropriately careful about calling netlbl_skbuff_err() only when CIPSO is being used. Signed-off-by: Casey Schaufler --- security/smack/smack.h | 4 ++++ security/smack/smack_lsm.c | 13 ++++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/security/smack/smack.h b/security/smack/smack.h index 6c91156..89e3ea9 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -97,7 +97,11 @@ struct socket_smack { struct smack_known *smk_out; /* outbound label */ struct smack_known *smk_in; /* inbound label */ struct smack_known *smk_packet; /* TCP peer label */ + int smk_cipso; }; +#define SMACK_SOCKET_UNSET 0 +#define SMACK_SOCKET_CIPSO 1 +#define SMACK_SOCKET_UNLABELED 2 /* * Inode smack data diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index e96080e..b4b1f97 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2312,6 +2312,7 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) ssp->smk_in = skp; ssp->smk_out = skp; ssp->smk_packet = NULL; + ssp->smk_cipso = SMACK_SOCKET_UNSET; sk->sk_security = ssp; @@ -2460,11 +2461,13 @@ static int smack_netlabel(struct sock *sk, int labeled) bh_lock_sock_nested(sk); if (ssp->smk_out == smack_net_ambient || - labeled == SMACK_UNLABELED_SOCKET) + labeled == SMACK_UNLABELED_SOCKET) { netlbl_sock_delattr(sk); - else { + ssp->smk_cipso = SMACK_SOCKET_UNLABELED; + } else { skp = ssp->smk_out; rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); + ssp->smk_cipso = SMACK_SOCKET_CIPSO; } bh_unlock_sock(sk); @@ -3969,7 +3972,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) netlbl_secattr_init(&secattr); rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); - if (rc == 0) + if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) skp = smack_from_secattr(&secattr, ssp); else skp = smack_net_ambient; @@ -3994,7 +3997,7 @@ access_check: rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, MAY_WRITE, rc); - if (rc != 0) + if (rc != 0 && ssp->smk_cipso == SMACK_SOCKET_CIPSO) netlbl_skbuff_err(skb, rc, 0); break; #if IS_ENABLED(CONFIG_IPV6) @@ -4249,7 +4252,7 @@ access_check: hskp = smack_ipv4host_label(&addr); rcu_read_unlock(); - if (hskp == NULL) + if (hskp == NULL && ssp->smk_cipso == SMACK_SOCKET_CIPSO) rc = netlbl_req_setattr(req, &skp->smk_netlabel); else netlbl_req_delattr(req);