Return-Path: <linux-kernel-owner+w=401wt.eu-S1757224AbYBOVhf@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757224AbYBOVhf (ORCPT <rfc822;w@1wt.eu>);
	Fri, 15 Feb 2008 16:37:35 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751382AbYBOVhY
	(ORCPT <rfc822;linux-kernel-outgoing>);
	Fri, 15 Feb 2008 16:37:24 -0500
Received: from g5t0007.atlanta.hp.com ([15.192.0.44]:8517 "EHLO
	g5t0007.atlanta.hp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756494AbYBOVhV (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 15 Feb 2008 16:37:21 -0500
From: Paul Moore <paul.moore@hp.com>
Organization: Hewlett-Packard
To: casey@schaufler-ca.com
Subject: Re: [PATCH] (02/14/08 Linus git) Smack unlabeled outgoing ambient packets - v3
Date: Fri, 15 Feb 2008 16:37:14 -0500
User-Agent: KMail/1.9.7
Cc: akpm@linux-foundation.org, torvalds@linux-foundation.org,
       linux-kernel@vger.kernel.org, netdev@vger.kernel.org
References: <291070.74513.qm@web36606.mail.mud.yahoo.com>
In-Reply-To: <291070.74513.qm@web36606.mail.mud.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200802151637.14835.paul.moore@hp.com>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3686
Lines: 92

On Friday 15 February 2008 4:00:26 pm Casey Schaufler wrote:
> --- Paul Moore <paul.moore@hp.com> wrote:
> > On Friday 15 February 2008 12:38:49 am Casey Schaufler wrote:
> > > From: Casey Schaufler <casey@schaufler-ca.com>
> > >
> > > Smack uses CIPSO labeling, but allows for unlabeled packets
> > > by specifying an "ambient" label that is applied to incoming
> > > unlabeled packets. Because the other end of the connection
> > > may dislike IP options, and ssh is one know application that
> > > behaves thus, it is prudent to respond in kind. This patch
> > > changes the network labeling behavior such that an outgoing
> > > packet that would be given a CIPSO label that matches the
> > > ambient label is left unlabeled. An "unlbl" domain is added
> > > and the netlabel defaulting mechanism invoked rather than
> > > assuming that everything is CIPSO. Locking has been added
> > > around changes to the ambient label as the mechanisms used
> > > to do so are more involved.
> > >
> > > Cleaned up some issues noted in review.
> > > Make smk_cipso_doi() static.
> > > Create a hook for the new security_secctx_to_secid()
> > > using existing underlying code.
> > > Fill in audit data for netlbl domain calls.
> > > Collapse unnecessary multiple assignments.
> > >
> > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> >
> > Hi Casey,
> >
> > Thanks for the update, it's much improved.  I'd ack it except for
> > one last thing which popped up in this revision ... (and don't
> > worry, it's kinda my fault - not yours) ...
> >
> > > @@ -1282,15 +1281,21 @@ static int smack_netlabel(struct sock *s
> > >  {
> > >  	struct socket_smack *ssp;
> > >  	struct netlbl_lsm_secattr secattr;
> > > -	int rc = 0;
> > > +	int rc;
> > >
> > >  	ssp = sk->sk_security;
> > >  	netlbl_secattr_init(&secattr);
> > >  	smack_to_secattr(ssp->smk_out, &secattr);
> > > -	if (secattr.flags != NETLBL_SECATTR_NONE)
> > > -		rc = netlbl_sock_setattr(sk, &secattr);
> > > -
> > > +	rc = netlbl_sock_setattr(sk, &secattr);
> > >  	netlbl_secattr_destroy(&secattr);
> > > +
> > > +	/*
> > > +	 * A return of -ENOENT from netlbl_sock_setattr
> > > +	 * indicates that the "domain" was not found, but that's
> > > +	 * not an issue because of the defaulting behavior.
> > > +	 */
> > > +	if (rc == -ENOENT)
> > > +		rc = 0;
> > >  	return rc;
> > >  }
> >
> > ... you shouldn't fix-up the return value from
> > netlbl_sock_setattr(). It only returns an error when there really
> > is an error, if there are no matching domain mappings and the
> > default catches the "domain" then the function will return 0
> > (assuming no other failures).
> >
> > The fact that you ran into this problem isn't your fault, it's
> > mine, but thankfully for both of us Pavel Emelyanov found this bug
> > and fixed it[1].  It hasn't hit Linus' tree yet but it's in the
> > net-2.6 tree.  If you can't wait for it to hit Linus' tree you can
> > always apply the fix by hand, it's pretty minor.
> >
> > Sorry about that.
>
> [1]http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=comm
>it;h=4c3a0a254e5d706d3fe01bf42261534858d05586
>
> Yerk. I can put that fix into my tree, but my patch without
> the "correction" makes sockets behave very badly. I can't have
> people using it without Pavel's fix. Any notion on the plans to
> get that in?

FYI, it looks like Linus just tagged -rc2 and it does have the fix you 
need.

-- 
paul moore
linux security @ hp
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/