From patchwork Thu Feb 28 22:43:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10834179 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D132418EC for ; Thu, 28 Feb 2019 22:44:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C04D92FB9B for ; Thu, 28 Feb 2019 22:44:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B563C2FBA2; Thu, 28 Feb 2019 22:44:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 698F92FB98 for ; Thu, 28 Feb 2019 22:44:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731348AbfB1Wol (ORCPT ); Thu, 28 Feb 2019 17:44:41 -0500 Received: from sonic301-10.consmr.mail.bf2.yahoo.com ([74.6.129.49]:37792 "EHLO sonic301-10.consmr.mail.bf2.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731153AbfB1Wok (ORCPT ); Thu, 28 Feb 2019 17:44:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1551393879; bh=myo0K4BZ46tU+RPsERMaTfIKTHsxeAeIOvh0XfDHLWk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=D7FEnvUWVC9mY20inJ1N7jXfcBDsOiybO5ZjZx9rOIHAgVGLdg14w8LqK9u0g8XVWLp1zXKFmBrInlNilLVM9ke/FGgHyPparov5LDlCzKufsJdtU3/Ixs9vwx3Dn5167xeofA8aq6PdKIFGDbkV2P1mYxZXZ+Y/i1BD3LvulMVkWuc/pdE5Vzg1doAZoj52lpLyvhAigdnCca1PdLamd1g96Tz8L0/UIGriIQl1WT17bx0GhT288JxFzxAyT9EyC96bbl60Tue8DMCadOLhndKW96jRg531wVNjb5CRNQb2rumHkDcERRk6MasBfwWL/9Tfpn8ZknP9yaF7R7cdWQ== X-YMail-OSG: YwYcPBEVM1ldV8IBb1R5NnXlqKCeEWvTUlwbr3CxaY6UmDbHi5EudfbW7QAM._v rsqAqF7nZ_ooxGFgKFuS.mDxhlFEfUJNE3Exphg8MiK.U.fPD9kwcIJX_M7osXuNj7_Ze9Q0OXpu zd9jumm9eNEz4Mhn.SwVLTQ9SRnsXp.pWL5aaXwY2xeQ4oOkDIvtiKJIPAAxAVdoiphvlTRnCnjL 2rSaUpX6vwdOBBT2lCxMnn0TIxEo8UN.4_zt0Nlr7aqgbzkcA_aZ1218doxp_7QYsrfTlD_uRooM zIJ6KmX5a2XRQwJEcNzjB3At0lYYkI5NBv1bBpCoqza0Lol8.5Mfc6wl4T_LYkJ1sbfQC.Rhk6o7 NrYCE2.RRdpbLmRyLgWO1qSJMBphOhEbZ250orHhCaGpCjSUrqIxWOK56O8OM_k2PvLitU15p7I7 QML.Xp8loBIgw_1jaU1JO1h2p2QznW_TbsubjJ2_q.hl4Y1ntqXCGt7ocaE3o60mAUSsKLi5lNsF FHNIfZ2JakJ3fNACX4dYVIPhrxfrRmg3aFWBNEUaCu3jhaa92lxBgfNAv0mHTDo1r.hdsVK4p0bd wQ..BteLq3hDBFSoOzwQpGHYDBuPqGRvi5RG27EYE8K3EGwkc4mHJcgDHXNiwwAtEc0fC2xDMLjm ERhKhaSlhbMEcuAzr5m8mlJgJ2cFZ9kTZOWVl.iE2XX1M2wKSvONfM7kT_YMntTXjgiGxkpowS0U NDWETzLcSRnOvJUUc4n3LL5Ij._3JOqJuOBfjF.okSe6ZGLDqL341s0vtR7nyP2T61Gj2u85VR31 semX4p7MBPhXFQmntEJrAH96TYc4s0tdXDQxQlzlyUgpCVl0JbQW6tRBYvf1mWHE5AaSMaXxGhDX W477DKUgtMR2LmYu0jiNg9znecKiF.t8JQik87wY0Q1QStN8m2wrzDKdxA6q7WMKSrW9Szsk4qFp lg.QPVPsiAwrgjX.nfRjyt7yFAixu_8kxUxtQ0LTK15fOAr296yUA.mhG0bw6i5oUlqWvks7u8X9 l60.rWpp88UJoWv8xdCR1.43LRfcOpbJmxfacPvZMtsV8ew0h4D7BXhYiSMutiy1JgTynMMKF7pl h2oLdhsgww8ouCprNX2eJ1.gvEvWQniyBtVQx_tca9XUjH9pNO.fioKT5 Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.bf2.yahoo.com with HTTP; Thu, 28 Feb 2019 22:44:39 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO localhost.localdomain) ([67.169.65.224]) by smtp430.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 41bc5dec9e4ecaa87e9a199cc17828e6; Thu, 28 Feb 2019 22:44:35 +0000 (UTC) From: Casey Schaufler To: jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com Subject: [PATCH 93/97] Smack: Use the NLTYPE on output Date: Thu, 28 Feb 2019 14:43:52 -0800 Message-Id: <20190228224356.2608-24-casey@schaufler-ca.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20190228224356.2608-1-casey@schaufler-ca.com> References: <20190228224356.2608-1-casey@schaufler-ca.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Use the saved NLTYPE to determine if the packet needs to be labeled in the output path. Signed-off-by: Casey Schaufler --- security/smack/smack_netfilter.c | 42 +++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c index ea45b173f8ca..7d202dde75b6 100644 --- a/security/smack/smack_netfilter.c +++ b/security/smack/smack_netfilter.c @@ -26,10 +26,19 @@ static bool smack_checked_secmark; void smack_secmark_refcount_inc(void) { - smack_use_secmark = true; + smack_use_secmark = true; pr_info("Smack: Using network secmarks.\n"); } +static void smack_own_secmark(void) +{ + if (!smack_checked_secmark) { + security_secmark_refcount_inc(); + security_secmark_refcount_dec(); + smack_checked_secmark = true; + } +} + #if IS_ENABLED(CONFIG_IPV6) static unsigned int smack_ipv6_output(void *priv, @@ -40,11 +49,7 @@ static unsigned int smack_ipv6_output(void *priv, struct socket_smack *ssp; struct smack_known *skp; - if (!smack_checked_secmark) { - security_secmark_refcount_inc(); - security_secmark_refcount_dec(); - smack_checked_secmark = true; - } + smack_own_secmark(); if (smack_use_secmark && sk && smack_sock(sk)) { ssp = smack_sock(sk); @@ -63,17 +68,26 @@ static unsigned int smack_ipv4_output(void *priv, struct sock *sk = skb_to_full_sk(skb); struct socket_smack *ssp; struct smack_known *skp; + int rc = 0; - if (!smack_checked_secmark) { - security_secmark_refcount_inc(); - security_secmark_refcount_dec(); - smack_checked_secmark = true; - } + smack_own_secmark(); - if (smack_use_secmark && sk && smack_sock(sk)) { - ssp = smack_sock(sk); - skp = ssp->smk_out; + if (sk == NULL) + return NF_ACCEPT; + + ssp = smack_sock(sk); + if (ssp == NULL) + return NF_ACCEPT; + + skp = ssp->smk_out; + if (smack_use_secmark) skb->secmark = skp->smk_secid; + + if (ssp->smk_set == NETLBL_NLTYPE_ADDRSELECT) { + rc = netlbl_skbuff_setattr(skb, PF_INET, &skp->smk_netlabel); + if (rc < 0) + return NF_DROP; + ssp->smk_set = rc; } return NF_ACCEPT;