From patchwork Wed Nov 23 05:01:59 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vishal Goel X-Patchwork-Id: 9442621 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 92E5D60779 for ; Wed, 23 Nov 2016 05:06:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 864EF1FEBD for ; Wed, 23 Nov 2016 05:06:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7B036205A8; Wed, 23 Nov 2016 05:06:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4A2D31FEBD for ; Wed, 23 Nov 2016 05:06:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750710AbcKWFGv (ORCPT ); Wed, 23 Nov 2016 00:06:51 -0500 Received: from mailout2.samsung.com ([203.254.224.25]:45278 "EHLO mailout2.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750824AbcKWFGt (ORCPT ); Wed, 23 Nov 2016 00:06:49 -0500 Received: from epcpsbgm2new.samsung.com (epcpsbgm2 [203.254.230.27]) by mailout2.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0OH200P7JWUPRTF0@mailout2.samsung.com> for linux-security-module@vger.kernel.org; Wed, 23 Nov 2016 14:06:25 +0900 (KST) X-AuditID: cbfee61b-f796f6d000004092-88-583523d121c5 Received: from epmmp2 ( [203.254.227.17]) by epcpsbgm2new.samsung.com (EPCPMTA) with SMTP id 65.FF.16530.1D325385; Wed, 23 Nov 2016 14:06:25 +0900 (KST) Received: from localhost.localdomain ([107.108.92.210]) by mmp2.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0OH20003ZWUI5XE0@mmp2.samsung.com>; Wed, 23 Nov 2016 14:06:25 +0900 (KST) From: Vishal Goel To: casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: vishal.goel@samsung.com, himanshu.sh@samsung.com, Vishal Goel , Himanshu Shukla Subject: [PATCH 2/3] Smack: Fix the issue of permission denied error in ipv6 hook Date: Wed, 23 Nov 2016 10:31:59 +0530 Message-id: <1479877319-12433-1-git-send-email-vishal.goel@samsung.com> X-Mailer: git-send-email 1.9.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDLMWRmVeSWpSXmKPExsVy+t9jQd2LyqYRBrf7TC3ubfvFZrH3SQur xYeeR2wW626fZnRg8ejbsorR4+j+RWwenzfJBTBHudlkpCampBYppOYl56dk5qXbKoWGuOla KCnkJeam2ipF6PqGBCkplCXmlAJ5RgZowME5wD1YSd8uwS3j4YmrjAVTJCraX8Q3MP4S7mLk 5JAQMJE49+E/C4QtJnHh3nq2LkYuDiGBWYwS09/8YIJwfjJKbNnfzg5SxSagLdE77y4TiC0i 4CjReGo5WBGzQBejxNlpnawgCWGBYInj7yexgdgsAqoSa3r2MoPYvALuErPPvWeFWCcncfLY ZNYJjNwLGBlWMUqkFiQXFCel5xrlpZbrFSfmFpfmpesl5+duYgSH3DPpHYyHd7kfYhTgYFTi 4dXYYhIhxJpYVlyZe4hRgoNZSYQ3Vs40Qog3JbGyKrUoP76oNCe1+BCjKdABE5mlRJPzgfGQ VxJvaGJuYm5sYGFuaWlipCTO2zj7WbiQQHpiSWp2ampBahFMHxMHp1QDo7Ovpu25l7uWzpj0 4czfw/zfvFg77/3hmZyomN/yIfNL+9VrVmn/TX7PjJSV1RHdv9D0eS3bk8c3xaSMPrfOX6nd 1C8i9mADh4n1/v1mjxksouObu86nHQllniZ/YvfGpam7/b1SOXtWOylw7uvyL7Pu67SYkPn/ 8FpGw6T95opn1+hzWb8xVmIpzkg01GIuKk4EAD1LvdZPAgAA X-MTR: 20000000000000000@CPGS Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Permission denied error comes when 2 IPv6 servers are running and client tries to connect one of them. Scenario is that both servers are using same IP and port but different protocols(Udp and tcp). They are using different SMACK64IPIN labels.Tcp server is using "test" and udp server is using "test-in". When we try to run tcp client with SMACK64IPOUT label as "test", then connection denied error comes. It should not happen since both tcp server and client labels are same.This happens because there is no check for protocol in smk_ipv6_port_label() function while searching for the earlier port entry. It checks whether there is an existing port entry on the basis of port only. So it updates the earlier port entry in the list. Due to which smack label gets changed for earlier entry in the "smk_ipv6_port_list" list and permission denied error comes. Now a check is added for socket type also.Now if 2 processes use same port but different protocols (tcp or udp), then 2 different port entries will be added in the list. Similarly while checking smack access in smk_ipv6_port_check() function, port entry is searched on the basis of both port and protocol. Signed-off-by: Vishal Goel Signed-off-by: Himanshu Shukla Acked-by: Casey Schaufler --- security/smack/smack.h | 1 + security/smack/smack_lsm.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index 51fd301..7d92c74 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -173,6 +173,7 @@ struct smk_port_label { unsigned short smk_port; /* the port number */ struct smack_known *smk_in; /* inbound label */ struct smack_known *smk_out; /* outgoing label */ + short sock_type; /*Socket type*/ }; #endif /* SMACK_IPV6_PORT_LABELING */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 404919d..0ed61e9 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2636,7 +2636,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) */ rcu_read_lock(); list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { - if (spp->smk_port != port) + if (spp->smk_port != port || spp->sock_type != sock->type) continue; spp->smk_port = port; spp->smk_sock = sk; @@ -2657,6 +2657,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) spp->smk_sock = sk; spp->smk_in = ssp->smk_in; spp->smk_out = ssp->smk_out; + spp->sock_type = sock->type; mutex_lock(&smack_ipv6_lock); list_add_rcu(&spp->list, &smk_ipv6_port_list); @@ -2713,7 +2714,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, port = ntohs(address->sin6_port); rcu_read_lock(); list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { - if (spp->smk_port != port) + if (spp->smk_port != port || spp->sock_type != sk->sk_type) continue; object = spp->smk_in; if (act == SMK_CONNECTING)