aboutsummaryrefslogtreecommitdiffstats
path: root/security/smack/smack_lsm.c
diff options
context:
space:
mode:
authorCasey Schaufler <casey@schaufler-ca.com>2008-02-15 18:24:25 -0500
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2008-02-19 10:51:00 -0500
commit4bc87e62775052aac0be7574d5f84ff06f61c6b4 (patch)
tree23063e82de8f7b7506d795919d7d4c13725e74a0 /security/smack/smack_lsm.c
parent9a4c8546f3e7c893888bccc2b3416d6214f2664a (diff)
Smack: unlabeled outgoing ambient packets
Smack uses CIPSO labeling, but allows for unlabeled packets by specifying an "ambient" label that is applied to incoming unlabeled packets. Because the other end of the connection may dislike IP options, and ssh is one know application that behaves thus, it is prudent to respond in kind. This patch changes the network labeling behavior such that an outgoing packet that would be given a CIPSO label that matches the ambient label is left unlabeled. An "unlbl" domain is added and the netlabel defaulting mechanism invoked rather than assuming that everything is CIPSO. Locking has been added around changes to the ambient label as the mechanisms used to do so are more involved. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/smack/smack_lsm.c')
-rw-r--r--security/smack/smack_lsm.c36
1 files changed, 28 insertions, 8 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 2b5d6f72f678..25cbfa3f71f4 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1251,9 +1251,8 @@ static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp)
1251 1251
1252 switch (smack_net_nltype) { 1252 switch (smack_net_nltype) {
1253 case NETLBL_NLTYPE_CIPSOV4: 1253 case NETLBL_NLTYPE_CIPSOV4:
1254 nlsp->domain = NULL; 1254 nlsp->domain = kstrdup(smack, GFP_ATOMIC);
1255 nlsp->flags = NETLBL_SECATTR_DOMAIN; 1255 nlsp->flags = NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
1256 nlsp->flags |= NETLBL_SECATTR_MLS_LVL;
1257 1256
1258 rc = smack_to_cipso(smack, &cipso); 1257 rc = smack_to_cipso(smack, &cipso);
1259 if (rc == 0) { 1258 if (rc == 0) {
@@ -1282,15 +1281,14 @@ static int smack_netlabel(struct sock *sk)
1282{ 1281{
1283 struct socket_smack *ssp; 1282 struct socket_smack *ssp;
1284 struct netlbl_lsm_secattr secattr; 1283 struct netlbl_lsm_secattr secattr;
1285 int rc = 0; 1284 int rc;
1286 1285
1287 ssp = sk->sk_security; 1286 ssp = sk->sk_security;
1288 netlbl_secattr_init(&secattr); 1287 netlbl_secattr_init(&secattr);
1289 smack_to_secattr(ssp->smk_out, &secattr); 1288 smack_to_secattr(ssp->smk_out, &secattr);
1290 if (secattr.flags != NETLBL_SECATTR_NONE) 1289 rc = netlbl_sock_setattr(sk, &secattr);
1291 rc = netlbl_sock_setattr(sk, &secattr);
1292
1293 netlbl_secattr_destroy(&secattr); 1290 netlbl_secattr_destroy(&secattr);
1291
1294 return rc; 1292 return rc;
1295} 1293}
1296 1294
@@ -1313,6 +1311,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
1313 struct inode_smack *nsp = inode->i_security; 1311 struct inode_smack *nsp = inode->i_security;
1314 struct socket_smack *ssp; 1312 struct socket_smack *ssp;
1315 struct socket *sock; 1313 struct socket *sock;
1314 int rc = 0;
1316 1315
1317 if (value == NULL || size > SMK_LABELLEN) 1316 if (value == NULL || size > SMK_LABELLEN)
1318 return -EACCES; 1317 return -EACCES;
@@ -1341,7 +1340,10 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
1341 ssp->smk_in = sp; 1340 ssp->smk_in = sp;
1342 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 1341 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) {
1343 ssp->smk_out = sp; 1342 ssp->smk_out = sp;
1344 return smack_netlabel(sock->sk); 1343 rc = smack_netlabel(sock->sk);
1344 if (rc != 0)
1345 printk(KERN_WARNING "Smack: \"%s\" netlbl error %d.\n",
1346 __func__, -rc);
1345 } else 1347 } else
1346 return -EOPNOTSUPP; 1348 return -EOPNOTSUPP;
1347 1349
@@ -2214,6 +2216,9 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
2214 ssp->smk_packet[0] = '\0'; 2216 ssp->smk_packet[0] = '\0';
2215 2217
2216 rc = smack_netlabel(sk); 2218 rc = smack_netlabel(sk);
2219 if (rc != 0)
2220 printk(KERN_WARNING "Smack: \"%s\" netlbl error %d.\n",
2221 __func__, -rc);
2217} 2222}
2218 2223
2219/** 2224/**
@@ -2346,6 +2351,20 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
2346} 2351}
2347 2352
2348/* 2353/*
2354 * smack_secctx_to_secid - return the secid for a smack label
2355 * @secdata: smack label
2356 * @seclen: how long result is
2357 * @secid: outgoing integer
2358 *
2359 * Exists for audit and networking code.
2360 */
2361static int smack_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
2362{
2363 *secid = smack_to_secid(secdata);
2364 return 0;
2365}
2366
2367/*
2349 * smack_release_secctx - don't do anything. 2368 * smack_release_secctx - don't do anything.
2350 * @key_ref: unused 2369 * @key_ref: unused
2351 * @context: unused 2370 * @context: unused
@@ -2475,6 +2494,7 @@ static struct security_operations smack_ops = {
2475 .key_permission = smack_key_permission, 2494 .key_permission = smack_key_permission,
2476#endif /* CONFIG_KEYS */ 2495#endif /* CONFIG_KEYS */
2477 .secid_to_secctx = smack_secid_to_secctx, 2496 .secid_to_secctx = smack_secid_to_secctx,
2497 .secctx_to_secid = smack_secctx_to_secid,
2478 .release_secctx = smack_release_secctx, 2498 .release_secctx = smack_release_secctx,
2479}; 2499};
2480 2500
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-08 06:45:04 -0500