+ smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree

+ smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree

[akpm]

The patch titled
     Smack: unlabeled outgoing ambient packets
has been added to the -mm tree.  Its filename is
     smack-unlabeled-outgoing-ambient-packets.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/SubmitChecklist when testing your code ***

See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this

The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/

------------------------------------------------------
Subject: Smack: unlabeled outgoing ambient packets
From: Casey Schaufler <casey@schaufler-ca.com>

Smack uses CIPSO labeling, but allows for unlabeled packets by specifying
an "ambient" label that is applied to incoming unlabeled packets.  Because
the other end of the connection may dislike IP options, and ssh is one know
application that behaves thus, it is prudent to respond in kind.  This
patch changes the network labeling behavior such that an outgoing packet
that would be given a CIPSO label that matches the ambient label is left
unlabeled.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: Paul Moore <paul.moore@hp.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 security/smack/smack_lsm.c |    9 +++++++++
 1 file changed, 9 insertions(+)

diff -puN security/smack/smack_lsm.c~smack-unlabeled-outgoing-ambient-packets security/smack/smack_lsm.c
--- a/security/smack/smack_lsm.c~smack-unlabeled-outgoing-ambient-packets
+++ a/security/smack/smack_lsm.c
@@ -1276,6 +1276,12 @@ static void smack_to_secattr(char *smack
  * Convert the outbound smack value (smk_out) to a
  * secattr and attach it to the socket.
  *
+ * If the label is the ambient label do not set the secattr.
+ * Thus, all ambient packets are unlabeled and all unlabeled
+ * packets are ambient. This permits unlabeled responces to
+ * unlabeled requests without knowing on a per-packet basis
+ * if the packet was labeled ambient or was unlabeled.
+ *
  * Returns 0 on success or an error code
  */
 static int smack_netlabel(struct sock *sk)
@@ -1284,6 +1290,9 @@ static int smack_netlabel(struct sock *s
 	struct netlbl_lsm_secattr secattr;
 	int rc = 0;
 
+	if (strncmp(ssp->smk_out, smack_net_ambient, SMK_MAXLEN) == 0)
+		return 0;
+
 	netlbl_secattr_init(&secattr);
 	smack_to_secattr(ssp->smk_out, &secattr);
 	if (secattr.flags != NETLBL_SECATTR_NONE)
_

Patches currently in -mm which might be from casey@schaufler-ca.com are

origin.patch
smack-unlabeled-outgoing-ambient-packets.patch
embed-a-struct-path-into-struct-nameidata-instead-of-nd-dentrymnt-smack-fix.patch

Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree

[Andrew Morton]

On Thu, 7 Feb 2008 14:50:41 -0500
Paul Moore <paul.moore@hp.com> wrote:

> On Thursday 07 February 2008 2:02:06 pm akpm@linux-foundation.org wrote:
> > The patch titled
> >      Smack: unlabeled outgoing ambient packets
> > has been added to the -mm tree.  Its filename is
> >      smack-unlabeled-outgoing-ambient-packets.patch
> >
> > Before you just go and hit "reply", please:
> >    a) Consider who else should be cc'ed
> >    b) Prefer to cc a suitable mailing list as well
> >    c) Ideally: find the original patch on the mailing list and do a
> >       reply-to-all to that, adding suitable additional cc's
> 
> I didn't see this patch hit any of the relevant mailing lists (am I missing 
> one somewhere?) so I'm just CC'ing everyone on the To/CC line, minus 
> mm-commits.

It was on linux-kernel and netdev.  I've restored those cc's.

> > ------------------------------------------------------
> > Subject: Smack: unlabeled outgoing ambient packets
> > From: Casey Schaufler <casey@schaufler-ca.com>
> >
> > Smack uses CIPSO labeling, but allows for unlabeled packets by specifying
> > an "ambient" label that is applied to incoming unlabeled packets.  Because
> > the other end of the connection may dislike IP options, and ssh is one know
> > application that behaves thus, it is prudent to respond in kind.  This
> > patch changes the network labeling behavior such that an outgoing packet
> > that would be given a CIPSO label that matches the ambient label is left
> > unlabeled.
> 
> I suppose you are entitled to use NetLabel however you want, so long as it 
> works and doesn't cause problems for other users, but I think you are 
> starting down a rather ugly road with this patch.  In my mind a cleaner 
> solution would be to make of use of the built-in NetLabel/LSM domain mapping 
> functionality to accomplish the same thing.  In other words, there is already 
> a mechanism to do what you want, it's probably a good idea to make use of it 
> instead of recreating it.
> 
> I would suggest that when you set the NetLabel security attributes for a 
> socket you set the domain field to the smack label (see the SELinux code for 
> an example, if you are unsure see selinux_netlbl_sock_setsid() and 
> security_netlbl_sid_to_secattr()).  Once you do that you should continue to 
> set the default NetLabel domain mapping to send CIPSO tagged packets but also 
> create a new NetLabel domain mapping so that the ambient smack label causes 
> packets to be sent "unlabeled".  The only other change you would have to make 
> is to ensure that the NetLabel domain mappings are kept in sync with any 
> ambient label changes (should be easy enough and a rather infrequent 
> operation in practice).
> 
> This also should have the advantage of making your life easier if/when more 
> advanced labeled network controls are added to Smack (see the SELinux changes 
> made in 2.6.25 and our previous discussions).
> 

Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree

[Paul Moore]

On Thursday 07 February 2008 3:04:59 pm Andrew Morton wrote:
> On Thu, 7 Feb 2008 14:50:41 -0500
>
> Paul Moore <paul.moore@hp.com> wrote:
> > On Thursday 07 February 2008 2:02:06 pm akpm@linux-foundation.org wrote:
> > > The patch titled
> > >      Smack: unlabeled outgoing ambient packets
> > > has been added to the -mm tree.  Its filename is
> > >      smack-unlabeled-outgoing-ambient-packets.patch
> > >
> > > Before you just go and hit "reply", please:
> > >    a) Consider who else should be cc'ed
> > >    b) Prefer to cc a suitable mailing list as well
> > >    c) Ideally: find the original patch on the mailing list and do a
> > >       reply-to-all to that, adding suitable additional cc's
> >
> > I didn't see this patch hit any of the relevant mailing lists (am I
> > missing one somewhere?) so I'm just CC'ing everyone on the To/CC line,
> > minus mm-commits.
>
> It was on linux-kernel and netdev.  I've restored those cc's.

My apologies, those mailing list postings there haven't hit my inbox yet.

-- 
paul moore
linux security @ hp

Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree

[David Miller]

From: Andrew Morton <akpm@linux-foundation.org>
Date: Thu, 7 Feb 2008 12:04:59 -0800

> It was on linux-kernel and netdev.  I've restored those cc's.

Perhaps Paul missed it because his email address was bouncing with
"user unknown" errors a few days ago so he got removed from all the
mailing lists @ vger :-)

Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree

[David Miller]

From: Paul Moore <paul.moore@hp.com>
Date: Thu, 7 Feb 2008 15:14:34 -0500

> My apologies, those mailing list postings there haven't hit my inbox yet.

I had to remove you a few days ago, see my other reply to
Andrew.

You are back on the lists now, so I hope that bounce problem
has been solved.

Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree

[Paul Moore]

On Thursday 07 February 2008 8:34:02 pm David Miller wrote:
> From: Paul Moore <paul.moore@hp.com>
> Date: Thu, 7 Feb 2008 15:14:34 -0500
>
> > My apologies, those mailing list postings there haven't hit my inbox yet.
>
> I had to remove you a few days ago, see my other reply to
> Andrew.
>
> You are back on the lists now, so I hope that bounce problem
> has been solved.

Yeah, that discussion with Andrew made me look a bit deeper at my mail folders 
and I realized the last message I received from any of the vger.kernel.org 
mailing lists was late Tuesday night ... I thought Wednesday was awfully 
quiet :/

I have no idea what was causing the mail problem, probably somebody in our IT 
department playing around with some new knobs, oh well.  I resubscribed this 
afternoon with both fingers crossed.

-- 
paul moore
linux security @ hp

Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree

[David Miller]

From: Paul Moore <paul.moore@hp.com>
Date: Thu, 7 Feb 2008 20:54:56 -0500

> I have no idea what was causing the mail problem, probably somebody
> in our IT department playing around with some new knobs, oh well.  I
> resubscribed this afternoon with both fingers crossed.

In the future please contact postmaster@vger.kernel.org when you
notice you have been unsubscribed so we can work on fixing the
issue.

Blind resubscriptions are severely frowned upon, we remove you for
good reason and if the problem isn't solved you'll just soil up my
inbox further with bounces....

Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree

[Paul Moore]

On Thursday 07 February 2008 9:15:19 pm David Miller wrote:
> From: Paul Moore <paul.moore@hp.com>
> Date: Thu, 7 Feb 2008 20:54:56 -0500
>
> > I have no idea what was causing the mail problem, probably somebody
> > in our IT department playing around with some new knobs, oh well.  I
> > resubscribed this afternoon with both fingers crossed.
>
> In the future please contact postmaster@vger.kernel.org when you
> notice you have been unsubscribed so we can work on fixing the
> issue.
>
> Blind resubscriptions are severely frowned upon, we remove you for
> good reason and if the problem isn't solved you'll just soil up my
> inbox further with bounces....

Both points noted for future reference.  While the end result is the same, I 
can promise you my actions are not maliciously stupid, just ignorantly 
stupid ;)

-- 
paul moore
linux security @ hp

Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree

[Paul Moore]

> > > ------------------------------------------------------
> > > Subject: Smack: unlabeled outgoing ambient packets
> > > From: Casey Schaufler <casey@schaufler-ca.com>
> > >
> > > Smack uses CIPSO labeling, but allows for unlabeled packets by
> > > specifying an "ambient" label that is applied to incoming
> > > unlabeled packets.  Because the other end of the connection may
> > > dislike IP options, and ssh is one know application that behaves
> > > thus ...

I forgot to mention this earlier, but RHEL/Fedora/Rawhide has a patched 
version of SSH (see RH bugzilla #202856 for the discussion/patch) that 
fixes the problem of IPv4 options causing SSH to reject the connection.  
It turns out that SSH is being a bit overzealous (rejecting all IPv4 
options) in trying to reject source-routed packets.

-- 
paul moore
linux security @ hp