From patchwork Mon Jul 9 12:37:27 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Piotr Sawicki X-Patchwork-Id: 10514525 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8D2776032A for ; Mon, 9 Jul 2018 12:37:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 81B9E28AE1 for ; Mon, 9 Jul 2018 12:37:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7601A28AF4; Mon, 9 Jul 2018 12:37:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, FORGED_MUA_MOZILLA, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8150C28AE1 for ; Mon, 9 Jul 2018 12:37:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932571AbeGIMhd (ORCPT ); Mon, 9 Jul 2018 08:37:33 -0400 Received: from mailout1.w1.samsung.com ([210.118.77.11]:50981 "EHLO mailout1.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932567AbeGIMhc (ORCPT ); Mon, 9 Jul 2018 08:37:32 -0400 Received: from eucas1p1.samsung.com (unknown [182.198.249.206]) by mailout1.w1.samsung.com (KnoxPortal) with ESMTP id 20180709123730euoutp01139bd668b2589b13e55b434d52d9616a~-s5T6_Y-k2415424154euoutp01G for ; Mon, 9 Jul 2018 12:37:30 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout1.w1.samsung.com 20180709123730euoutp01139bd668b2589b13e55b434d52d9616a~-s5T6_Y-k2415424154euoutp01G DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1531139850; bh=s83JrRH+2GKD95aMvDz62tZPIgT2LYJR/AATPI3sC6Q=; h=To:From:Subject:Date:References:From; b=nVBCFA4Oosf/PvA9/iaOeiwR+wpAeqUwrf8vn76F1CAz7PxrvI5pj9D8AZnOnW3lQ MGHMk4SIxCwub8EoIk7sAnlZluw8+JQ6JQFxMOgt4tDGfjMf3Z/rfOfm8/1Ah6axWs JDQpBKNuaEN87Z/a87SdHhoE0XtX6QPN4vPmiYJc= Received: from eusmges3new.samsung.com (unknown [203.254.199.245]) by eucas1p1.samsung.com (KnoxPortal) with ESMTP id 20180709123730eucas1p113ff4b8539d1930f229dcebde87c741c~-s5TRP-uh2898828988eucas1p1l for ; Mon, 9 Jul 2018 12:37:30 +0000 (GMT) Received: from eucas1p1.samsung.com ( [182.198.249.206]) by eusmges3new.samsung.com (EUCPMTA) with SMTP id 35.AF.10409.907534B5; Mon, 9 Jul 2018 13:37:29 +0100 (BST) Received: from eusmtrp2.samsung.com (unknown [182.198.249.139]) by eucas1p2.samsung.com (KnoxPortal) with ESMTPA id 20180709123728eucas1p2e80949d219441dced3b0ab58e73315ce~-s5SM65Kc0595005950eucas1p2U for ; Mon, 9 Jul 2018 12:37:28 +0000 (GMT) Received: from eusmgms2.samsung.com (unknown [182.198.249.180]) by eusmtrp2.samsung.com (KnoxPortal) with ESMTP id 20180709123728eusmtrp26974d89a478c76830101d83d6bb41708~-s5R6HPwg1119711197eusmtrp2L for ; Mon, 9 Jul 2018 12:37:28 +0000 (GMT) X-AuditID: cbfec7f5-f95739c0000028a9-b9-5b435709e843 Received: from eusmtip1.samsung.com ( [203.254.199.221]) by eusmgms2.samsung.com (EUCPMTA) with SMTP id 96.62.04183.807534B5; Mon, 9 Jul 2018 13:37:28 +0100 (BST) Received: from [106.120.51.16] (unknown [106.120.51.16]) by eusmtip1.samsung.com (KnoxPortal) with ESMTPA id 20180709123728eusmtip17f84cf94021d453cef24445bc094c75a~-s5RuUcDB2519925199eusmtip1A for ; Mon, 9 Jul 2018 12:37:28 +0000 (GMT) X-Mozilla-News-Host: news://news.gmane.org:119 To: linux-security-module@vger.kernel.org From: Piotr Sawicki Subject: [PATCH RFC] Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets Date: Mon, 9 Jul 2018 14:37:27 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 Content-Language: en-US X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsWy7djPc7qc4c7RBpOXSVh86HnE5sDo8XmT XABjFJdNSmpOZllqkb5dAlfGrnUf2QoauSrmb5RtYHzK3sXIySEhYCLxZf4uxi5GLg4hgRWM Enf69jKCJIQEFjFJTL+TCJFYyCSx+MsVVpiOKweWsUAkljNKLN9xlBnCmc0k0fB1BTNElZ7E hbuvwDpEBDQljk1fzwZiswF196z7yQJiCwuES/y80QMWZxFQkdi7+ibYTaICERIbJ3wCm8Mr IChxcuYTsHpmAXGJW0/mM0HY8hLb384BWywhcIRNYuvMBawQDWUSi25/YYI4wkXiQfsvqIOE JV4d3wL1tIzE/53zoWrqJXrXH2ODGNTDKNG6dR4bRMJa4vOkLUDNHEDbNCXW79KHCDtK/F+1 kQ0kLCHAJ3HjrSDEPXwSk7ZNZ4YI80p0tAlBVOtIvOlbwgIRlpJY1J0HEfaQOHVgN+MERsVZ SJ6cheTJWUienIVwwgJGllWM4qmlxbnpqcXGeanlesWJucWleel6yfm5mxiBqeH0v+NfdzDu +5N0iFGAg1GJh/dDoVO0EGtiWXFl7iFGCQ5mJRHeRCugEG9KYmVValF+fFFpTmrxIUZpDhYl cd44jbooIYH0xJLU7NTUgtQimCwTB6dUA+PmAx+zN4cJpc0TZM5NP171r/7Xbo0+92+a6h7x hwt+ZOXvvfOy+rZMC3/SRb4MKcO80DivTq/MhkXPL1ibbtNbffbklitCKg+XuyedVG1bnPm0 fNFL/c0FYYb6tQGWBn933pLRW/E+as3Hw5JfspWnSJvnfF0Ywbtbtuz/Yd6DhXk/g3U29imx FGckGmoxFxUnAgDTzxG1CQMAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrILMWRmVeSWpSXmKPExsVy+t/xu7oc4c7RBotnKlp86HnE5sDo8XmT XABjlJ5NUX5pSapCRn5xia1StKGFkZ6hpYWekYmlnqGxeayVkamSvp1NSmpOZllqkb5dgl7G rnUf2QoauSrmb5RtYHzK3sXIySEhYCJx5cAyli5GLg4hgaWMEucXrmGCSEhJzP23F6pIWOLP tS42EFtIYDqTxNF5fhBxPYkLd1+xgtgiApoSx6avB6thAxras+4nC4gtLBAucfXUVLAaXgE3 iRW/HzKC2CwCKhJ7V98Emy8qECHRNG8NO0SNoMTJmU/AepkFzCTmbX7IDGGLS9x6Mp8JwpaX 2P52DvMERoFZSFpmIWmZhaRlFpKWBYwsqxhFUkuLc9Nzi430ihNzi0vz0vWS83M3MQKDe9ux n1t2MHa9Cz7EKMDBqMTD+6HQKVqINbGsuDL3EKMEB7OSCG+iFVCINyWxsiq1KD++qDQntfgQ oynQQxOZpUST84GRl1cSb2hqaG5haWhubG5sZqEkznveoDJKSCA9sSQ1OzW1ILUIpo+Jg1Oq gTGZvXj9FUOZ6VX2Xl1KMxPZ4mrCE0wKvGru/3Lb4fdFcsLj5XFxQiIbPqg/2HTphsDSGc94 dm3bYTKxxkJClaFi5/SiZUG2f/LjFXY8r/yT2jSpuOcbm8iPC6+b7/Z7mpzac1LtxW2nWpf0 CtMp8U4h+YmGHbcbps6Qs3zQyyWff+rYwsk/XZRYijMSDbWYi4oTAQlrsc+EAgAA Message-Id: <20180709123728eucas1p2e80949d219441dced3b0ab58e73315ce~-s5SM65Kc0595005950eucas1p2U@eucas1p2.samsung.com> X-CMS-MailID: 20180709123728eucas1p2e80949d219441dced3b0ab58e73315ce X-Msg-Generator: CA X-RootMTR: 20180709123728eucas1p2e80949d219441dced3b0ab58e73315ce X-EPHeader: CA CMS-TYPE: 201P X-CMS-RootMailID: 20180709123728eucas1p2e80949d219441dced3b0ab58e73315ce References: Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP A socket which has sk_family set to PF_INET6 is able to recevie not only IPv6 but also IPv4 traffic (IPv4-mapped IPv6 addresses). Prior to this patch, the smk_skb_to_addr_ipv6() could have been called for socket buffers containing IPv4 packets, in result such traffic was allowed. Signed-off-by: Piotr Sawicki --- security/smack/smack_lsm.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) /* diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 19de675..a6b4c2e 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3924,15 +3924,20 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) struct smack_known *skp = NULL; int rc = 0; struct smk_audit_info ad; + u16 family = sk->sk_family; #ifdef CONFIG_AUDIT struct lsm_network_audit net; #endif #if IS_ENABLED(CONFIG_IPV6) struct sockaddr_in6 sadd; int proto; + + if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) { + family = PF_INET; + } #endif /* CONFIG_IPV6 */ - switch (sk->sk_family) { + switch (family) { case PF_INET: #ifdef CONFIG_SECURITY_SMACK_NETFILTER