From patchwork Mon Jul 9 12:12:35 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Piotr Sawicki X-Patchwork-Id: 10514451 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 172036032C for ; Mon, 9 Jul 2018 12:12:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0A0B528AB9 for ; Mon, 9 Jul 2018 12:12:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F176A28ACB; Mon, 9 Jul 2018 12:12:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, FORGED_MUA_MOZILLA, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0456A28AB9 for ; Mon, 9 Jul 2018 12:12:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932567AbeGIMMl (ORCPT ); Mon, 9 Jul 2018 08:12:41 -0400 Received: from mailout1.w1.samsung.com ([210.118.77.11]:42609 "EHLO mailout1.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932514AbeGIMMk (ORCPT ); Mon, 9 Jul 2018 08:12:40 -0400 Received: from eucas1p1.samsung.com (unknown [182.198.249.206]) by mailout1.w1.samsung.com (KnoxPortal) with ESMTP id 20180709121238euoutp01de1236a28758e2a2ed4f3f85fa42e869~-sjmG5O0y1186011860euoutp01Q for ; Mon, 9 Jul 2018 12:12:38 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout1.w1.samsung.com 20180709121238euoutp01de1236a28758e2a2ed4f3f85fa42e869~-sjmG5O0y1186011860euoutp01Q DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1531138358; bh=s83JrRH+2GKD95aMvDz62tZPIgT2LYJR/AATPI3sC6Q=; h=From:Subject:To:Cc:Date:References:From; b=qZMswf/j5zzeD2jPFzuqc3JC60qtTy170YNCDju6BwHWIk0fC+5gupUIcz9SL8iV/ BOOAjnM7C1lmYhE3ZUw6/9XcKu3IyZVtFLaQ8JI6qIqFceU7KYlpQp5jbF5ABG38jK Rx2b6XTJBpFHWTx4ah63h4IBpbug7PJ5PprVdO3s= Received: from eusmges2new.samsung.com (unknown [203.254.199.244]) by eucas1p1.samsung.com (KnoxPortal) with ESMTP id 20180709121237eucas1p1816477f0cb81d905cddbd4708b7c9a16~-sjlDffy01236312363eucas1p1A; Mon, 9 Jul 2018 12:12:37 +0000 (GMT) Received: from eucas1p1.samsung.com ( [182.198.249.206]) by eusmges2new.samsung.com (EUCPMTA) with SMTP id 8F.98.17380.431534B5; Mon, 9 Jul 2018 13:12:36 +0100 (BST) Received: from eusmtrp1.samsung.com (unknown [182.198.249.138]) by eucas1p2.samsung.com (KnoxPortal) with ESMTPA id 20180709121236eucas1p21b689ba0e2c53326ddd9d36b924530ad~-sjkOngnZ1880618806eucas1p23; Mon, 9 Jul 2018 12:12:36 +0000 (GMT) Received: from eusmgms2.samsung.com (unknown [182.198.249.180]) by eusmtrp1.samsung.com (KnoxPortal) with ESMTP id 20180709121236eusmtrp1c3f301bd40d4258e6d7aa962520f56e3~-sjkAP7pt0687106871eusmtrp1v; Mon, 9 Jul 2018 12:12:36 +0000 (GMT) X-AuditID: cbfec7f4-713ff700000043e4-4a-5b435134804a Received: from eusmtip1.samsung.com ( [203.254.199.221]) by eusmgms2.samsung.com (EUCPMTA) with SMTP id A7.DE.04183.431534B5; Mon, 9 Jul 2018 13:12:36 +0100 (BST) Received: from [106.120.51.16] (unknown [106.120.51.16]) by eusmtip1.samsung.com (KnoxPortal) with ESMTPA id 20180709121235eusmtip175750cd462d574ee08b1b55f90591d57~-sjjx3aPD1914419144eusmtip1W; Mon, 9 Jul 2018 12:12:35 +0000 (GMT) From: Piotr Sawicki Subject: [PATCH RFC] Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets To: Casey Schaufler , LSM , "SMACK-discuss@lists.01.org" Cc: Piotr Sawicki X-Mozilla-News-Host: news://news.gmane.org Date: Mon, 9 Jul 2018 14:12:35 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 Content-Language: en-US X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprEKsWRmVeSWpSXmKPExsWy7djPc7qmgc7RBp3aFve2/WKz+NDziM3i /asFrBZXl25kd2Dx6J79j8Xj4Ls9TB5H9y9i8/i8SS6AJYrLJiU1J7MstUjfLoErY9e6j2wF jVwV8zfKNjA+Ze9i5OSQEDCRWHVtG2sXIxeHkMAKRok7C5YwQzhfGCW+HDvIBuF8ZpR4d+Ux C0zL/rtP2CESyxklZnx+DTZLSOAto0TPClkQmw2oqGfdT7AGYYFwiZ83esAmiQjMYJR4efY1 E0iCWcBI4ujHe2wQU7UkTu3cCdTAwcEioCJxZXc2SFhUIEJi44RPzCA2r4CgxMmZT1ggWsUl bj2ZDzVGXmL72zlgZ0sI/GeTWHvoEyPIHF6BMomGPcIQ410kNnZNgnpAWOLV8S1Q/8tInJ7c AxWvl+hdf4wNYk4Po0Tr1nlQt1lLfJ60hRlkJrOApsT6XfoQYUeJvXfvsIOEJQT4JG68FYQ4 h09i0rbpzBBhXomONiGIah2JN31LWCDCUhKLuvMmMCrNQvLXLCR/zULy1yyEtQsYWVYxiqeW FuempxYb5aWW6xUn5haX5qXrJefnbmIEppTT/45/2cG460/SIUYBDkYlHt4PhU7RQqyJZcWV uYcYJTiYlUR4E62AQrwpiZVVqUX58UWlOanFhxilOViUxHnjNOqihATSE0tSs1NTC1KLYLJM HJxSDYzZFkXJbS9fVPFvD9izyfZnzYo909W1Jb6c+xdiL+lm+jWxiLv08+4P1+qlegPM//13 jYn5vewoz6za1cJPrLfnXtFqevxDT9jyflqLw783f+xDGzd4iU+aaGl5WlJPaq3kqi8VFbsZ uxfuljrAaGOY0l7nfuTLQgHbVRN+v2mdPTn80g6TeR1KLMUZiYZazEXFiQClQS0FJQMAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprNIsWRmVeSWpSXmKPExsVy+t/xu7omgc7RBgv3cFvc2/aLzeJDzyM2 i/evFrBaXF26kd2BxaN79j8Wj4Pv9jB5HN2/iM3j8ya5AJYoPZui/NKSVIWM/OISW6VoQwsj PUNLCz0jE0s9Q2PzWCsjUyV9O5uU1JzMstQifbsEvYxd6z6yFTRyVczfKNvA+JS9i5GTQ0LA RGL/3SdANheHkMBSRomOSxvYIBJSEnP/7YUqEpb4c60LLC4k8JpR4tfFcBCbDai5Z91PFhBb WCBc4uqpqawgg0QEZjBKzG5dxgySYBYwkjj68R7UUC2JUzt3gjXwCrhJrDv7nKmLkYODRUBF 4srubJCwqECERNO8NewQJYISJ2c+YYEYYyYxb/NDqJHiEreezGeCsOUltr+dwzyBUXAWkpZZ SFpmIWmZhaRlASPLKkaR1NLi3PTcYiO94sTc4tK8dL3k/NxNjMCI2Xbs55YdjF3vgg8xCnAw KvHwfih0ihZiTSwrrsw9xCjBwawkwptoBRTiTUmsrEotyo8vKs1JLT7EaAr0z0RmKdHkfGA0 55XEG5oamltYGpobmxubWSiJ8543qIwSEkhPLEnNTk0tSC2C6WPi4JRqYFyTL6rmwz3bY4rR r6vPBbMDCmJseSP12SRfPNI5u1L5Y8QK0+thQgEM7LcLKq2PvNx2jGml7t6Vz/MDT1ztsvuX +YdV+btou8XKhE+Sl/SWHo/9fTtkSbdxW5NwdNGaZ6q3130ssdHU086+ekPG31W5tW9R1ymP VxNN0vSjizNnFl9b4uX3S4mlOCPRUIu5qDgRAJ0SIpuuAgAA Message-Id: <20180709121236eucas1p21b689ba0e2c53326ddd9d36b924530ad~-sjkOngnZ1880618806eucas1p23@eucas1p2.samsung.com> X-CMS-MailID: 20180709121236eucas1p21b689ba0e2c53326ddd9d36b924530ad X-Msg-Generator: CA X-RootMTR: 20180709121236eucas1p21b689ba0e2c53326ddd9d36b924530ad X-EPHeader: CA CMS-TYPE: 201P X-CMS-RootMailID: 20180709121236eucas1p21b689ba0e2c53326ddd9d36b924530ad References: Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP A socket which has sk_family set to PF_INET6 is able to recevie not only IPv6 but also IPv4 traffic (IPv4-mapped IPv6 addresses). Prior to this patch, the smk_skb_to_addr_ipv6() could have been called for socket buffers containing IPv4 packets, in result such traffic was allowed. Signed-off-by: Piotr Sawicki --- security/smack/smack_lsm.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) /* diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 19de675..a6b4c2e 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3924,15 +3924,20 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) struct smack_known *skp = NULL; int rc = 0; struct smk_audit_info ad; + u16 family = sk->sk_family; #ifdef CONFIG_AUDIT struct lsm_network_audit net; #endif #if IS_ENABLED(CONFIG_IPV6) struct sockaddr_in6 sadd; int proto; + + if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) { + family = PF_INET; + } #endif /* CONFIG_IPV6 */ - switch (sk->sk_family) { + switch (family) { case PF_INET: #ifdef CONFIG_SECURITY_SMACK_NETFILTER