summaryrefslogtreecommitdiffstats
path: root/security/smack
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2018-08-16 01:49:04 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2018-08-16 01:49:04 -0400
commit04743f89bcad30a438ef4f38840caddd7978dbaa (patch)
tree9078a0a796f32ff64fdcfb1206540fcc455b93bc /security/smack
parent5bae2be4efd557ba3ec18f125d18c546f6b03cd2 (diff)
parentdf6b4e6608eebc2ff18113706f4e3b9d9a972e68 (diff)
Merge branch 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull smack updates from James Morris: "Minor fixes from Piotr Sawicki" * 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: Smack: Inform peer that IPv6 traffic has been blocked Smack: Check UDP-Lite and DCCP protocols during IPv6 handling Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets
Diffstat (limited to 'security/smack')
-rw-r--r--security/smack/smack_lsm.c22
1 files changed, 16 insertions, 6 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 9ab8097dab7c..340fc30ad85d 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -28,6 +28,7 @@
28#include <linux/tcp.h> 28#include <linux/tcp.h>
29#include <linux/udp.h> 29#include <linux/udp.h>
30#include <linux/dccp.h> 30#include <linux/dccp.h>
31#include <linux/icmpv6.h>
31#include <linux/slab.h> 32#include <linux/slab.h>
32#include <linux/mutex.h> 33#include <linux/mutex.h>
33#include <linux/pipe_fs_i.h> 34#include <linux/pipe_fs_i.h>
@@ -3896,6 +3897,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
3896 sip->sin6_port = th->source; 3897 sip->sin6_port = th->source;
3897 break; 3898 break;
3898 case IPPROTO_UDP: 3899 case IPPROTO_UDP:
3900 case IPPROTO_UDPLITE:
3899 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3901 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3900 if (uh != NULL) 3902 if (uh != NULL)
3901 sip->sin6_port = uh->source; 3903 sip->sin6_port = uh->source;
@@ -3924,15 +3926,19 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3924 struct smack_known *skp = NULL; 3926 struct smack_known *skp = NULL;
3925 int rc = 0; 3927 int rc = 0;
3926 struct smk_audit_info ad; 3928 struct smk_audit_info ad;
3929 u16 family = sk->sk_family;
3927#ifdef CONFIG_AUDIT 3930#ifdef CONFIG_AUDIT
3928 struct lsm_network_audit net; 3931 struct lsm_network_audit net;
3929#endif 3932#endif
3930#if IS_ENABLED(CONFIG_IPV6) 3933#if IS_ENABLED(CONFIG_IPV6)
3931 struct sockaddr_in6 sadd; 3934 struct sockaddr_in6 sadd;
3932 int proto; 3935 int proto;
3936
3937 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3938 family = PF_INET;
3933#endif /* CONFIG_IPV6 */ 3939#endif /* CONFIG_IPV6 */
3934 3940
3935 switch (sk->sk_family) { 3941 switch (family) {
3936 case PF_INET: 3942 case PF_INET:
3937#ifdef CONFIG_SECURITY_SMACK_NETFILTER 3943#ifdef CONFIG_SECURITY_SMACK_NETFILTER
3938 /* 3944 /*
@@ -3950,7 +3956,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3950 */ 3956 */
3951 netlbl_secattr_init(&secattr); 3957 netlbl_secattr_init(&secattr);
3952 3958
3953 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 3959 rc = netlbl_skbuff_getattr(skb, family, &secattr);
3954 if (rc == 0) 3960 if (rc == 0)
3955 skp = smack_from_secattr(&secattr, ssp); 3961 skp = smack_from_secattr(&secattr, ssp);
3956 else 3962 else
@@ -3963,7 +3969,7 @@ access_check:
3963#endif 3969#endif
3964#ifdef CONFIG_AUDIT 3970#ifdef CONFIG_AUDIT
3965 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3971 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3966 ad.a.u.net->family = sk->sk_family; 3972 ad.a.u.net->family = family;
3967 ad.a.u.net->netif = skb->skb_iif; 3973 ad.a.u.net->netif = skb->skb_iif;
3968 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3974 ipv4_skb_to_auditdata(skb, &ad.a, NULL);
3969#endif 3975#endif
@@ -3977,12 +3983,13 @@ access_check:
3977 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3983 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in,
3978 MAY_WRITE, rc); 3984 MAY_WRITE, rc);
3979 if (rc != 0) 3985 if (rc != 0)
3980 netlbl_skbuff_err(skb, sk->sk_family, rc, 0); 3986 netlbl_skbuff_err(skb, family, rc, 0);
3981 break; 3987 break;
3982#if IS_ENABLED(CONFIG_IPV6) 3988#if IS_ENABLED(CONFIG_IPV6)
3983 case PF_INET6: 3989 case PF_INET6:
3984 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3990 proto = smk_skb_to_addr_ipv6(skb, &sadd);
3985 if (proto != IPPROTO_UDP && proto != IPPROTO_TCP) 3991 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE &&
3992 proto != IPPROTO_TCP && proto != IPPROTO_DCCP)
3986 break; 3993 break;
3987#ifdef SMACK_IPV6_SECMARK_LABELING 3994#ifdef SMACK_IPV6_SECMARK_LABELING
3988 if (skb && skb->secmark != 0) 3995 if (skb && skb->secmark != 0)
@@ -3993,7 +4000,7 @@ access_check:
3993 skp = smack_net_ambient; 4000 skp = smack_net_ambient;
3994#ifdef CONFIG_AUDIT 4001#ifdef CONFIG_AUDIT
3995 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4002 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3996 ad.a.u.net->family = sk->sk_family; 4003 ad.a.u.net->family = family;
3997 ad.a.u.net->netif = skb->skb_iif; 4004 ad.a.u.net->netif = skb->skb_iif;
3998 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4005 ipv6_skb_to_auditdata(skb, &ad.a, NULL);
3999#endif /* CONFIG_AUDIT */ 4006#endif /* CONFIG_AUDIT */
@@ -4004,6 +4011,9 @@ access_check:
4004#ifdef SMACK_IPV6_PORT_LABELING 4011#ifdef SMACK_IPV6_PORT_LABELING
4005 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4012 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
4006#endif /* SMACK_IPV6_PORT_LABELING */ 4013#endif /* SMACK_IPV6_PORT_LABELING */
4014 if (rc != 0)
4015 icmpv6_send(skb, ICMPV6_DEST_UNREACH,
4016 ICMPV6_ADM_PROHIBITED, 0);
4007 break; 4017 break;
4008#endif /* CONFIG_IPV6 */ 4018#endif /* CONFIG_IPV6 */
4009 } 4019 }
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-24 12:36:39 -0500