| Message ID | 20180719094732eucas1p18ac5bd15693cd06f868238c7a4951aa1~CvBwyJxUf3081230812eucas1p1q@eucas1p1.samsung.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 7/19/2018 2:47 AM, Piotr Sawicki wrote: > In this patch we're sending an ICMPv6 message to a peer to > immediately inform it that making a connection is not possible. > In case of TCP connections, without this change, the peer > will be waiting until a connection timeout is exceeded. > > Signed-off-by: Piotr Sawicki <p.sawicki2@partner.samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> > --- > Changes in v2: > - Add missing Signed-off-by field > Changes in v3: > - Fix formatting issues caused by improper email client configuration > --- > security/smack/smack_lsm.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index c2282ac..efa81bc 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -28,6 +28,7 @@ > #include <linux/tcp.h> > #include <linux/udp.h> > #include <linux/dccp.h> > +#include <linux/icmpv6.h> > #include <linux/slab.h> > #include <linux/mutex.h> > #include <linux/pipe_fs_i.h> > @@ -4010,6 +4011,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) > #ifdef SMACK_IPV6_PORT_LABELING > rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); > #endif /* SMACK_IPV6_PORT_LABELING */ > + if (rc != 0) > + icmpv6_send(skb, ICMPV6_DEST_UNREACH, > + ICMPV6_ADM_PROHIBITED, 0); > break; > #endif /* CONFIG_IPV6 */ > } -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 7/19/2018 2:47 AM, Piotr Sawicki wrote: > In this patch we're sending an ICMPv6 message to a peer to > immediately inform it that making a connection is not possible. > In case of TCP connections, without this change, the peer > will be waiting until a connection timeout is exceeded. > > Signed-off-by: Piotr Sawicki <p.sawicki2@partner.samsung.com> Added to git://github.com/cschaufler/next-smack.git#smack-for-4.19-a > --- > Changes in v2: > - Add missing Signed-off-by field > Changes in v3: > - Fix formatting issues caused by improper email client configuration > --- > security/smack/smack_lsm.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index c2282ac..efa81bc 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -28,6 +28,7 @@ > #include <linux/tcp.h> > #include <linux/udp.h> > #include <linux/dccp.h> > +#include <linux/icmpv6.h> > #include <linux/slab.h> > #include <linux/mutex.h> > #include <linux/pipe_fs_i.h> > @@ -4010,6 +4011,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) > #ifdef SMACK_IPV6_PORT_LABELING > rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); > #endif /* SMACK_IPV6_PORT_LABELING */ > + if (rc != 0) > + icmpv6_send(skb, ICMPV6_DEST_UNREACH, > + ICMPV6_ADM_PROHIBITED, 0); > break; > #endif /* CONFIG_IPV6 */ > } -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
I am looking at CALIPSO support for Smack. CALIPSO provides the same sort of network packet labeling for IPv6 that CIPSO provides for IPv4. Because most of the details are buried in the Netlabel code this should be reasonably straight forward. The complication is that Smack has two mechanisms in place for labeling IPv6 already, and neither uses anything like CALIPSO packet labeling. If CONFIG_SECURITY_SMACK_NETFILTER is defined Smack secids are sent via the netfilter secmark. Otherwise, the Smack label of the process creating a socket is maintained in a table indexed by the port number. My proposed change would make the IPv6 labeling match the IPv4 labeling. The entire port number scheme would be abandoned. The current secmark scheme would continue to be used if it is configured. Whereas today IPv6 labeling is only supported locally, the new code would support labeling remote systems as well. Systems that use CONFIG_SECURITY_SMACK_NETFILTER should be unaffected for local use. The host address labeling scheme would be retained, so any system configured to use IPv6 externally shouldn't see a difference. Systems that don't use the option should also work the same as they do today. Are there any users of Smack that use IPv6 but do not use CONFIG_SECURITY_SMACK_NETFILTER? Does anyone have, know of or imagine a use case where CALIPSO labeling would not be a viable replacement for the hackish "port labeling"? Thank you.
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c2282ac..efa81bc 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -28,6 +28,7 @@ #include <linux/tcp.h> #include <linux/udp.h> #include <linux/dccp.h> +#include <linux/icmpv6.h> #include <linux/slab.h> #include <linux/mutex.h> #include <linux/pipe_fs_i.h> @@ -4010,6 +4011,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) #ifdef SMACK_IPV6_PORT_LABELING rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); #endif /* SMACK_IPV6_PORT_LABELING */ + if (rc != 0) + icmpv6_send(skb, ICMPV6_DEST_UNREACH, + ICMPV6_ADM_PROHIBITED, 0); break; #endif /* CONFIG_IPV6 */ }
In this patch we're sending an ICMPv6 message to a peer to immediately inform it that making a connection is not possible. In case of TCP connections, without this change, the peer will be waiting until a connection timeout is exceeded. Signed-off-by: Piotr Sawicki <p.sawicki2@partner.samsung.com> --- Changes in v2: - Add missing Signed-off-by field Changes in v3: - Fix formatting issues caused by improper email client configuration --- security/smack/smack_lsm.c | 4 ++++ 1 file changed, 4 insertions(+)