From patchwork Mon Jun 20 13:36:56 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Huw Davies <huw@codeweavers.com>
X-Patchwork-Id: 9187571
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	34A1B607D1 for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 20 Jun 2016 14:08:34 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F5CE2711E
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 20 Jun 2016 14:08:34 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 13B3A27813; Mon, 20 Jun 2016 14:08:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	T_DKIM_INVALID autolearn=no version=3.3.1
Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 0FA612780C
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 20 Jun 2016 14:08:31 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.26,498,1459814400"; d="scan'208";a="14811910"
IronPort-PHdr: =?us-ascii?q?9a23=3Ac+2m4BPWtHyOexBuTP8l6mtUPXoX/o7sNwtQ0KIM?=
	=?us-ascii?q?zox0Kf3+rarrMEGX3/hxlliBBdydsKIVzbuL+P6/EUU7or+/81k6OKRWUBEEjc?=
	=?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZv?=
	=?us-ascii?q?IaytQ8iJ35Xxhr35pcKbSj4LrQT+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf?=
	=?us-ascii?q?9d32JiKAHbtR/94sCt4MwrqHwI6Loc7coIbYHWN+R9FOQZX3waNDUz6dHnuAfr?=
	=?us-ascii?q?UwSC/D0fX38Qnx4OBBLKqFn+X5Hsom7hu+FgwiiGLIjzSrwpXTmK8ahmUlnrhT?=
	=?us-ascii?q?0BOjp/93vYzoRrgaZapg+xjwBuyI7TJoeOPbxxeb2OU8kdQD9hQ9kZeyVfA46n?=
	=?us-ascii?q?J98PEvUpNuFUopbwrkUDtwD4Dg6pUrC8ggRUj2P7iPVpm98qFhvLiUl5R98=3D?=
X-IPAS-Result: =?us-ascii?q?A2F0BQBe+GdX/wHyM5BdHQGDIIFTtjKGJh+HM0wBAQEBAQE?=
	=?us-ascii?q?CAmIngjEPOTwBAQEBAQEjAg1mAiQTBgEBDCAMAgMJAhcpCAgDAS0LChgHCwUYB?=
	=?us-ascii?q?IgPrz2FKQEBBYt+CI8GEQGCZQtAgkeYe44siVqFRkiPL1SCCByBTW2JE4E1AQE?=
	=?us-ascii?q?B?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea10.nsa.gov with ESMTP; 20 Jun 2016 14:04:58 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u5KE1u4L018056;
	Mon, 20 Jun 2016 10:03:20 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u5KDbKep090403 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 20 Jun 2016 09:37:20 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u5KDbIP1013705
	for <selinux@tycho.nsa.gov>; Mon, 20 Jun 2016 09:37:19 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1DKAgDV8GdXfYO9+9heHAEBhHO2MYIlhAEIF4YAgTNMAQEBAQEBEwEBFjOEfioZAQE3AYEcIhKIMK9OhSkBAQWLUikIkX0LQIJHmHuOLI8gSI8vgk8NHIFNOzKKSAEBAQ
X-IPAS-Result: 
 A1DKAgDV8GdXfYO9+9heHAEBhHO2MYIlhAEIF4YAgTNMAQEBAQEBEwEBFjOEfioZAQE3AYEcIhKIMK9OhSkBAQWLUikIkX0LQIJHmHuOLI8gSI8vgk8NHIFNOzKKSAEBAQ
X-IronPort-AV: E=Sophos;i="5.26,498,1459828800"; d="scan'208";a="5526685"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 20 Jun 2016 09:37:20 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3A3Fh3dRF+hbRKAlfI5KAhNJ1GYnF86YWxBRYc798d?=
	=?us-ascii?q?s5kLTJ74pc6wAkXT6L1XgUPTWs2DsrQf27uQ4v2rBzBIyK3CmU5BWaQEbwUCh8?=
	=?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?=
	=?us-ascii?q?Ov7yUtaLyZ/nhqbjptaNP01hv3mUX/BbFF2OtwLft80b08NJC50a7V/3mEZOYP?=
	=?us-ascii?q?lc3mhyJFiezF7W78a0+4N/oWwL46pyv+YJa6jxfrw5QLpEF3xmdjltvIy4/SXE?=
	=?us-ascii?q?GA2C+ncRTE0InRdSRQvI9hf3WtH2qCS+/u583jSKeNb7Rq0uWCizqqJsRALshQ?=
	=?us-ascii?q?8ZODMjtmLakMp9iORcuh3l7wdyx4/SfZG9KOt1fqSbe8gTA2VGQJV/TStEV6Oh?=
	=?us-ascii?q?cMMjBvQAMP0Q+4nguHMFqhezGgSlGu710XlDgXqgjv5y6PgoDQyThF9oJNkJqn?=
	=?us-ascii?q?mB6YytbKo=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0EjAwAV8WdXfYO9+9heHAEBhHO2MYIlh?=
	=?us-ascii?q?AEIF4YAgTNMAQEBAQEBAgIPAQEWMy+CMQ85PAEBAQEBASMCDWIqGQEBNwGBHCI?=
	=?us-ascii?q?SiDCvToUpAQEFi1IpCJF9C0CCR5h7jiyPIEiPL4JPDRyBTTsyikgBAQE?=
X-IPAS-Result: =?us-ascii?q?A0EjAwAV8WdXfYO9+9heHAEBhHO2MYIlhAEIF4YAgTNMAQE?=
	=?us-ascii?q?BAQEBAgIPAQEWMy+CMQ85PAEBAQEBASMCDWIqGQEBNwGBHCISiDCvToUpAQEFi?=
	=?us-ascii?q?1IpCJF9C0CCR5h7jiyPIEiPL4JPDRyBTTsyikgBAQE?=
X-IronPort-AV: E=Sophos;i="5.26,498,1459814400"; d="scan'208";a="17034975"
Received: from mail.codeweavers.com ([216.251.189.131])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES128-SHA;
	20 Jun 2016 13:37:12 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=codeweavers.com; s=6377696661;
	h=Message-Id:Date:Subject:Cc:To:From;
	bh=Jx/NwbVQZB5AfOXteWEfJs1poZcB4q5oM0GmGCqZyq8=;
	b=j4OPTCbGqUq/a9wipe7OiRg+gffDQ753mgakg53qfPCgnoetsAdtBxoH009zy86aXmd3vnAEdIofC89cCRfqRTMxF3Nu485f1RZAETS4UqQhND6LOym3hTEM5CrhHeSFLNUcJllhENN0ge0CzLzuem8Hw444b037EWhOcQBVcjM=;
Received: from vpn38.vpn.mn.codeweavers.com ([10.69.139.38]
	helo=merlot.physics.ox.ac.uk) by mail.codeweavers.com with esmtpsa
	(TLS1.2:RSA_AES_128_CBC_SHA1:128)
	(Exim 4.80) (envelope-from <huw@codeweavers.com>)
	id 1bEzO1-00028t-JB; Mon, 20 Jun 2016 08:37:11 -0500
Received: from daviesh by merlot.physics.ox.ac.uk with local (Exim 4.86_2)
	(envelope-from <huw@codeweavers.com>)
	id 1bEzNu-0003Lv-7j; Mon, 20 Jun 2016 14:37:02 +0100
From: Huw Davies <huw@codeweavers.com>
To: netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
	selinux@tycho.nsa.gov
Subject: [PATCH v4 16/19] netlabel: Pass a family parameter to
	netlbl_skbuff_err().
Date: Mon, 20 Jun 2016 14:36:56 +0100
Message-Id: <1466429819-12707-17-git-send-email-huw@codeweavers.com>
X-Mailer: git-send-email 2.7.4
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

This makes it possible to route the error to the appropriate
labelling engine.  CALIPSO is far less verbose than CIPSO
when encountering a bogus packet, so there is no need for a
CALIPSO error handler.

Signed-off-by: Huw Davies <huw@codeweavers.com>
---
 include/net/netlabel.h              |  2 +-
 net/netlabel/netlabel_kapi.c        | 11 ++++++++---
 security/selinux/hooks.c            |  6 +++---
 security/selinux/include/netlabel.h |  4 +++-
 security/selinux/netlabel.c         |  6 +++---
 security/smack/smack_lsm.c          |  2 +-
 6 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index e0e4ce8..d8a46a8 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -488,7 +488,7 @@ int netlbl_skbuff_setattr(struct sk_buff *skb,
 int netlbl_skbuff_getattr(const struct sk_buff *skb,
 			  u16 family,
 			  struct netlbl_lsm_secattr *secattr);
-void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway);
+void netlbl_skbuff_err(struct sk_buff *skb, u16 family, int error, int gateway);
 
 /*
  * LSM label mapping cache operations
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index bace474..35df8f5 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -1250,6 +1250,7 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb,
 /**
  * netlbl_skbuff_err - Handle a LSM error on a sk_buff
  * @skb: the packet
+ * @family: the family
  * @error: the error code
  * @gateway: true if host is acting as a gateway, false otherwise
  *
@@ -1259,10 +1260,14 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb,
  * according to the packet's labeling protocol.
  *
  */
-void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway)
+void netlbl_skbuff_err(struct sk_buff *skb, u16 family, int error, int gateway)
 {
-	if (cipso_v4_optptr(skb))
-		cipso_v4_error(skb, error, gateway);
+	switch (family) {
+	case AF_INET:
+		if (cipso_v4_optptr(skb))
+			cipso_v4_error(skb, error, gateway);
+		break;
+	}
 }
 
 /**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 93eed8f..0324493 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4539,13 +4539,13 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
 					       addrp, family, peer_sid, &ad);
 		if (err) {
-			selinux_netlbl_err(skb, err, 0);
+			selinux_netlbl_err(skb, family, err, 0);
 			return err;
 		}
 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
 				   PEER__RECV, &ad);
 		if (err) {
-			selinux_netlbl_err(skb, err, 0);
+			selinux_netlbl_err(skb, family, err, 0);
 			return err;
 		}
 	}
@@ -4911,7 +4911,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
 					       addrp, family, peer_sid, &ad);
 		if (err) {
-			selinux_netlbl_err(skb, err, 1);
+			selinux_netlbl_err(skb, family, err, 1);
 			return NF_DROP;
 		}
 	}
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 8c59b8f..75686d5 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -40,7 +40,8 @@
 #ifdef CONFIG_NETLABEL
 void selinux_netlbl_cache_invalidate(void);
 
-void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway);
+void selinux_netlbl_err(struct sk_buff *skb, u16 family, int error,
+			int gateway);
 
 void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec);
 void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec);
@@ -72,6 +73,7 @@ static inline void selinux_netlbl_cache_invalidate(void)
 }
 
 static inline void selinux_netlbl_err(struct sk_buff *skb,
+				      u16 family,
 				      int error,
 				      int gateway)
 {
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index ca220c3..dfca50d 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -151,9 +151,9 @@ void selinux_netlbl_cache_invalidate(void)
  * present on the packet, NetLabel is smart enough to only act when it should.
  *
  */
-void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway)
+void selinux_netlbl_err(struct sk_buff *skb, u16 family, int error, int gateway)
 {
-	netlbl_skbuff_err(skb, error, gateway);
+	netlbl_skbuff_err(skb, family, error, gateway);
 }
 
 /**
@@ -405,7 +405,7 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 		return 0;
 
 	if (nlbl_sid != SECINITSID_UNLABELED)
-		netlbl_skbuff_err(skb, rc, 0);
+		netlbl_skbuff_err(skb, family, rc, 0);
 	return rc;
 }
 
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 11f7901..292fdea 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3992,7 +3992,7 @@ access_check:
 		rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in,
 					MAY_WRITE, rc);
 		if (rc != 0)
-			netlbl_skbuff_err(skb, rc, 0);
+			netlbl_skbuff_err(skb, sk->sk_family, rc, 0);
 		break;
 #if IS_ENABLED(CONFIG_IPV6)
 	case PF_INET6: