Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757224AbYBOVhf (ORCPT ); Fri, 15 Feb 2008 16:37:35 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751382AbYBOVhY (ORCPT ); Fri, 15 Feb 2008 16:37:24 -0500 Received: from g5t0007.atlanta.hp.com ([15.192.0.44]:8517 "EHLO g5t0007.atlanta.hp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756494AbYBOVhV (ORCPT ); Fri, 15 Feb 2008 16:37:21 -0500 From: Paul Moore Organization: Hewlett-Packard To: casey@schaufler-ca.com Subject: Re: [PATCH] (02/14/08 Linus git) Smack unlabeled outgoing ambient packets - v3 Date: Fri, 15 Feb 2008 16:37:14 -0500 User-Agent: KMail/1.9.7 Cc: akpm@linux-foundation.org, torvalds@linux-foundation.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org References: <291070.74513.qm@web36606.mail.mud.yahoo.com> In-Reply-To: <291070.74513.qm@web36606.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200802151637.14835.paul.moore@hp.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3686 Lines: 92 On Friday 15 February 2008 4:00:26 pm Casey Schaufler wrote: > --- Paul Moore wrote: > > On Friday 15 February 2008 12:38:49 am Casey Schaufler wrote: > > > From: Casey Schaufler > > > > > > Smack uses CIPSO labeling, but allows for unlabeled packets > > > by specifying an "ambient" label that is applied to incoming > > > unlabeled packets. Because the other end of the connection > > > may dislike IP options, and ssh is one know application that > > > behaves thus, it is prudent to respond in kind. This patch > > > changes the network labeling behavior such that an outgoing > > > packet that would be given a CIPSO label that matches the > > > ambient label is left unlabeled. An "unlbl" domain is added > > > and the netlabel defaulting mechanism invoked rather than > > > assuming that everything is CIPSO. Locking has been added > > > around changes to the ambient label as the mechanisms used > > > to do so are more involved. > > > > > > Cleaned up some issues noted in review. > > > Make smk_cipso_doi() static. > > > Create a hook for the new security_secctx_to_secid() > > > using existing underlying code. > > > Fill in audit data for netlbl domain calls. > > > Collapse unnecessary multiple assignments. > > > > > > Signed-off-by: Casey Schaufler > > > > Hi Casey, > > > > Thanks for the update, it's much improved. I'd ack it except for > > one last thing which popped up in this revision ... (and don't > > worry, it's kinda my fault - not yours) ... > > > > > @@ -1282,15 +1281,21 @@ static int smack_netlabel(struct sock *s > > > { > > > struct socket_smack *ssp; > > > struct netlbl_lsm_secattr secattr; > > > - int rc = 0; > > > + int rc; > > > > > > ssp = sk->sk_security; > > > netlbl_secattr_init(&secattr); > > > smack_to_secattr(ssp->smk_out, &secattr); > > > - if (secattr.flags != NETLBL_SECATTR_NONE) > > > - rc = netlbl_sock_setattr(sk, &secattr); > > > - > > > + rc = netlbl_sock_setattr(sk, &secattr); > > > netlbl_secattr_destroy(&secattr); > > > + > > > + /* > > > + * A return of -ENOENT from netlbl_sock_setattr > > > + * indicates that the "domain" was not found, but that's > > > + * not an issue because of the defaulting behavior. > > > + */ > > > + if (rc == -ENOENT) > > > + rc = 0; > > > return rc; > > > } > > > > ... you shouldn't fix-up the return value from > > netlbl_sock_setattr(). It only returns an error when there really > > is an error, if there are no matching domain mappings and the > > default catches the "domain" then the function will return 0 > > (assuming no other failures). > > > > The fact that you ran into this problem isn't your fault, it's > > mine, but thankfully for both of us Pavel Emelyanov found this bug > > and fixed it[1]. It hasn't hit Linus' tree yet but it's in the > > net-2.6 tree. If you can't wait for it to hit Linus' tree you can > > always apply the fix by hand, it's pretty minor. > > > > Sorry about that. > > [1]http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=comm >it;h=4c3a0a254e5d706d3fe01bf42261534858d05586 > > Yerk. I can put that fix into my tree, but my patch without > the "correction" makes sockets behave very badly. I can't have > people using it without Pavel's fix. Any notion on the plans to > get that in? FYI, it looks like Linus just tagged -rc2 and it does have the fix you need. -- paul moore linux security @ hp -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/