Merge branch 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull smack updates from James Morris:
"Minor fixes from Piotr Sawicki"

* 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
Smack: Inform peer that IPv6 traffic has been blocked
Smack: Check UDP-Lite and DCCP protocols during IPv6 handling
Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets

Linus Torvalds 7 years ago 04743f89 5bae2be4

+16 -6

1 changed file

expand all

security

smack

smack_lsm.c

+16 -6

security/smack/smack_lsm.c

··· 28 28 #include <linux/tcp.h> 29 29 #include <linux/udp.h> 30 30 #include <linux/dccp.h> 31 + #include <linux/icmpv6.h> 31 32 #include <linux/slab.h> 32 33 #include <linux/mutex.h> 33 34 #include <linux/pipe_fs_i.h> ··· 3897 3896 sip->sin6_port = th->source; 3898 3897 break; 3899 3898 case IPPROTO_UDP: 3899 + case IPPROTO_UDPLITE: 3900 3900 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3901 3901 if (uh != NULL) 3902 3902 sip->sin6_port = uh->source; ··· 3926 3924 struct smack_known *skp = NULL; 3927 3925 int rc = 0; 3928 3926 struct smk_audit_info ad; 3927 + u16 family = sk->sk_family; 3929 3928 #ifdef CONFIG_AUDIT 3930 3929 struct lsm_network_audit net; 3931 3930 #endif 3932 3931 #if IS_ENABLED(CONFIG_IPV6) 3933 3932 struct sockaddr_in6 sadd; 3934 3933 int proto; 3934 + 3935 + if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3936 + family = PF_INET; 3935 3937 #endif /* CONFIG_IPV6 */ 3936 3938 3937 - switch (sk->sk_family) { 3939 + switch (family) { 3938 3940 case PF_INET: 3939 3941 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3940 3942 /* ··· 3956 3950 */ 3957 3951 netlbl_secattr_init(&secattr); 3958 3952 3959 - rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 3953 + rc = netlbl_skbuff_getattr(skb, family, &secattr); 3960 3954 if (rc == 0) 3961 3955 skp = smack_from_secattr(&secattr, ssp); 3962 3956 else ··· 3969 3963 #endif 3970 3964 #ifdef CONFIG_AUDIT 3971 3965 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3972 - ad.a.u.net->family = sk->sk_family; 3966 + ad.a.u.net->family = family; 3973 3967 ad.a.u.net->netif = skb->skb_iif; 3974 3968 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3975 3969 #endif ··· 3983 3977 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3984 3978 MAY_WRITE, rc); 3985 3979 if (rc != 0) 3986 - netlbl_skbuff_err(skb, sk->sk_family, rc, 0); 3980 + netlbl_skbuff_err(skb, family, rc, 0); 3987 3981 break; 3988 3982 #if IS_ENABLED(CONFIG_IPV6) 3989 3983 case PF_INET6: 3990 3984 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3991 - if (proto != IPPROTO_UDP && proto != IPPROTO_TCP) 3985 + if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 3986 + proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 3992 3987 break; 3993 3988 #ifdef SMACK_IPV6_SECMARK_LABELING 3994 3989 if (skb && skb->secmark != 0) ··· 4000 3993 skp = smack_net_ambient; 4001 3994 #ifdef CONFIG_AUDIT 4002 3995 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4003 - ad.a.u.net->family = sk->sk_family; 3996 + ad.a.u.net->family = family; 4004 3997 ad.a.u.net->netif = skb->skb_iif; 4005 3998 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4006 3999 #endif /* CONFIG_AUDIT */ ··· 4011 4004 #ifdef SMACK_IPV6_PORT_LABELING 4012 4005 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4013 4006 #endif /* SMACK_IPV6_PORT_LABELING */ 4007 + if (rc != 0) 4008 + icmpv6_send(skb, ICMPV6_DEST_UNREACH, 4009 + ICMPV6_ADM_PROHIBITED, 0); 4014 4010 break; 4015 4011 #endif /* CONFIG_IPV6 */ 4016 4012 }