4 files changed, 45 insertions, 10 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 5e5a3bcb599a..42ef313f9856 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -132,6 +132,8 @@ struct smack_known {
 #define XATTR_NAME_SMACKIPIN    XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN
 #define XATTR_NAME_SMACKIPOUT   XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT
+#define SMACK_CIPSO_OPTION      "-CIPSO"
 /*
 * How communications on this socket are treated.
 * Usually it's determined by the underlying netlabel code
@@ -199,6 +201,7 @@ u32 smack_to_secid(const char *);
 extern int smack_cipso_direct;
 extern char *smack_net_ambient;
 extern char *smack_onlycap;
+extern const char *smack_cipso_option;
 extern struct smack_known smack_known_floor;
 extern struct smack_known smack_known_hat;
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 58564195bb09..ac0a2707f6d4 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -261,6 +261,9 @@ char *smk_import(const char *string, int len)
 {
        struct smack_known *skp;
+        /* labels cannot begin with a '-' */
+        if (string[0] == '-')
+                return NULL;
        skp = smk_import_entry(string, len);
        if (skp == NULL)
                return NULL;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 8ed502c2ad45..921514902eca 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -609,6 +609,9 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
            strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
                if (!capable(CAP_MAC_ADMIN))
                        rc = -EPERM;
+                /* a label cannot be void and cannot begin with '-' */
+                if (size == 0 || (size > 0 && ((char *)value)[0] == '-'))
+                        rc = -EINVAL;
        } else
                rc = cap_inode_setxattr(dentry, name, value, size, flags);
@@ -1323,8 +1326,12 @@ static char *smack_host_label(struct sockaddr_in *sip)
                * so we have found the most specific match
                */
                if ((&snp->smk_host.sin_addr)->s_addr ==
-                    (siap->s_addr & (&snp->smk_mask)->s_addr))
+                    (siap->s_addr & (&snp->smk_mask)->s_addr)) {
+                        /* we have found the special CIPSO option */
+                        if (snp->smk_label == smack_cipso_option)
+                                return NULL;
                        return snp->smk_label;
+                }
        return NULL;
 }
@@ -1486,7 +1493,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
        struct socket *sock;
        int rc = 0;
-        if (value == NULL || size > SMK_LABELLEN)
+        if (value == NULL || size > SMK_LABELLEN || size == 0)
                return -EACCES;
        sp = smk_import(value, size);
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 856c8a287523..e03a7e19c73b 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -86,6 +86,9 @@ LIST_HEAD(smack_rule_list);
 static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
+const char *smack_cipso_option = SMACK_CIPSO_OPTION;
 #define SEQ_READ_FINISHED       1
 /*
@@ -565,6 +568,11 @@ static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
                goto unlockedout;
        }
+        /* labels cannot begin with a '-' */
+        if (data[0] == '-') {
+                rc = -EINVAL;
+                goto unlockedout;
+        }
        data[count] = '\0';
        rule = data;
        /*
@@ -808,9 +816,18 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
        if (m > BEBITS)
                return -EINVAL;
-        sp = smk_import(smack, 0);
+        /* if smack begins with '-', its an option, don't import it */
-        if (sp == NULL)
+        if (smack[0] != '-') {
-                return -EINVAL;
+                sp = smk_import(smack, 0);
+                if (sp == NULL)
+                        return -EINVAL;
+        } else {
+                /* check known options */
+                if (strcmp(smack, smack_cipso_option) == 0)
+                        sp = (char *)smack_cipso_option;
+                else
+                        return -EINVAL;
+        }
        for (temp_mask = 0; m > 0; m--) {
                temp_mask |= mask_bits;
@@ -849,18 +866,23 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
                        smk_netlbladdr_insert(skp);
                }
        } else {
-                rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
+                /* we delete the unlabeled entry, only if the previous label
-                        &skp->smk_host.sin_addr, &skp->smk_mask,
+                 * wasnt the special CIPSO option */
-                        PF_INET, &audit_info);
+                if (skp->smk_label != smack_cipso_option)
+                        rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
+                                        &skp->smk_host.sin_addr, &skp->smk_mask,
+                                        PF_INET, &audit_info);
+                else
+                        rc = 0;
                skp->smk_label = sp;
        }
        /*
         * Now tell netlabel about the single label nature of
         * this host so that incoming packets get labeled.
+         * but only if we didn't get the special CIPSO option
         */
+        if (rc == 0 && sp != smack_cipso_option)
-        if (rc == 0)
                rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
                        &skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
                        smack_to_secid(skp->smk_label), &audit_info);

diff --git a/security/smack/smack.h b/security/smack/smack.h index 5e5a3bcb599a..42ef313f9856 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h
@@ -132,6 +132,8 @@ struct smack_known {
132	#define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN	132	#define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN
133	#define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT	133	#define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT
134		134
		135	#define SMACK_CIPSO_OPTION "-CIPSO"
		136
135	/*	137	/*
136	* How communications on this socket are treated.	138	* How communications on this socket are treated.
137	* Usually it's determined by the underlying netlabel code	139	* Usually it's determined by the underlying netlabel code
@@ -199,6 +201,7 @@ u32 smack_to_secid(const char *);
199	extern int smack_cipso_direct;	201	extern int smack_cipso_direct;
200	extern char *smack_net_ambient;	202	extern char *smack_net_ambient;
201	extern char *smack_onlycap;	203	extern char *smack_onlycap;
		204	extern const char *smack_cipso_option;
202		205
203	extern struct smack_known smack_known_floor;	206	extern struct smack_known smack_known_floor;
204	extern struct smack_known smack_known_hat;	207	extern struct smack_known smack_known_hat;


diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 58564195bb09..ac0a2707f6d4 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c
@@ -261,6 +261,9 @@ char smk_import(const char string, int len)
261	{	261	{
262	struct smack_known *skp;	262	struct smack_known *skp;
263		263
		264	/* labels cannot begin with a '-' */
		265	if (string[0] == '-')
		266	return NULL;
264	skp = smk_import_entry(string, len);	267	skp = smk_import_entry(string, len);
265	if (skp == NULL)	268	if (skp == NULL)
266	return NULL;	269	return NULL;


diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 8ed502c2ad45..921514902eca 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c
@@ -609,6 +609,9 @@ static int smack_inode_setxattr(struct dentry dentry, const char name,
609	strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {	609	strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
610	if (!capable(CAP_MAC_ADMIN))	610	if (!capable(CAP_MAC_ADMIN))
611	rc = -EPERM;	611	rc = -EPERM;
		612	/* a label cannot be void and cannot begin with '-' */
		613	if (size == 0 \|\| (size > 0 && ((char *)value)[0] == '-'))
		614	rc = -EINVAL;
612	} else	615	} else
613	rc = cap_inode_setxattr(dentry, name, value, size, flags);	616	rc = cap_inode_setxattr(dentry, name, value, size, flags);
614		617
@@ -1323,8 +1326,12 @@ static char smack_host_label(struct sockaddr_in sip)
1323	* so we have found the most specific match	1326	* so we have found the most specific match
1324	*/	1327	*/
1325	if ((&snp->smk_host.sin_addr)->s_addr ==	1328	if ((&snp->smk_host.sin_addr)->s_addr ==
1326	(siap->s_addr & (&snp->smk_mask)->s_addr))	1329	(siap->s_addr & (&snp->smk_mask)->s_addr)) {
		1330	/* we have found the special CIPSO option */
		1331	if (snp->smk_label == smack_cipso_option)
		1332	return NULL;
1327	return snp->smk_label;	1333	return snp->smk_label;
		1334	}
1328		1335
1329	return NULL;	1336	return NULL;
1330	}	1337	}
@@ -1486,7 +1493,7 @@ static int smack_inode_setsecurity(struct inode inode, const char name,
1486	struct socket *sock;	1493	struct socket *sock;
1487	int rc = 0;	1494	int rc = 0;
1488		1495
1489	if (value == NULL \|\| size > SMK_LABELLEN)	1496	if (value == NULL \|\| size > SMK_LABELLEN \|\| size == 0)
1490	return -EACCES;	1497	return -EACCES;
1491		1498
1492	sp = smk_import(value, size);	1499	sp = smk_import(value, size);


diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 856c8a287523..e03a7e19c73b 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c
@@ -86,6 +86,9 @@ LIST_HEAD(smack_rule_list);
86		86
87	static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;	87	static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
88		88
		89	const char *smack_cipso_option = SMACK_CIPSO_OPTION;
		90
		91
89	#define SEQ_READ_FINISHED 1	92	#define SEQ_READ_FINISHED 1
90		93
91	/*	94	/*
@@ -565,6 +568,11 @@ static ssize_t smk_write_cipso(struct file file, const char __user buf,
565	goto unlockedout;	568	goto unlockedout;
566	}	569	}
567		570
		571	/* labels cannot begin with a '-' */
		572	if (data[0] == '-') {
		573	rc = -EINVAL;
		574	goto unlockedout;
		575	}
568	data[count] = '\0';	576	data[count] = '\0';
569	rule = data;	577	rule = data;
570	/*	578	/*
@@ -808,9 +816,18 @@ static ssize_t smk_write_netlbladdr(struct file file, const char __user buf,
808	if (m > BEBITS)	816	if (m > BEBITS)
809	return -EINVAL;	817	return -EINVAL;
810		818
811	sp = smk_import(smack, 0);	819	/* if smack begins with '-', its an option, don't import it */
812	if (sp == NULL)	820	if (smack[0] != '-') {
813	return -EINVAL;	821	sp = smk_import(smack, 0);
		822	if (sp == NULL)
		823	return -EINVAL;
		824	} else {
		825	/* check known options */
		826	if (strcmp(smack, smack_cipso_option) == 0)
		827	sp = (char *)smack_cipso_option;
		828	else
		829	return -EINVAL;
		830	}
814		831
815	for (temp_mask = 0; m > 0; m--) {	832	for (temp_mask = 0; m > 0; m--) {
816	temp_mask \|= mask_bits;	833	temp_mask \|= mask_bits;
@@ -849,18 +866,23 @@ static ssize_t smk_write_netlbladdr(struct file file, const char __user buf,
849	smk_netlbladdr_insert(skp);	866	smk_netlbladdr_insert(skp);
850	}	867	}
851	} else {	868	} else {
852	rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,	869	/* we delete the unlabeled entry, only if the previous label
853	&skp->smk_host.sin_addr, &skp->smk_mask,	870	* wasnt the special CIPSO option */
854	PF_INET, &audit_info);	871	if (skp->smk_label != smack_cipso_option)
		872	rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
		873	&skp->smk_host.sin_addr, &skp->smk_mask,
		874	PF_INET, &audit_info);
		875	else
		876	rc = 0;
855	skp->smk_label = sp;	877	skp->smk_label = sp;
856	}	878	}
857		879
858	/*	880	/*
859	* Now tell netlabel about the single label nature of	881	* Now tell netlabel about the single label nature of
860	* this host so that incoming packets get labeled.	882	* this host so that incoming packets get labeled.
		883	* but only if we didn't get the special CIPSO option
861	*/	884	*/
862		885	if (rc == 0 && sp != smack_cipso_option)
863	if (rc == 0)
864	rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,	886	rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
865	&skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,	887	&skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
866	smack_to_secid(skp->smk_label), &audit_info);	888	smack_to_secid(skp->smk_label), &audit_info);