[PATCH][SMACK] add a socket_post_accept hook to fix netlabel issues with labeled TCP servers V1

All of lore.kernel.org
 help / color / mirror / Atom feed

From: etienne <etienne.basset@numericable.fr>
To: Casey Schaufler <casey@schaufler-ca.com>, Paul Moore <paul.moore@hp.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	LSM <linux-security-module@vger.kernel.org>
Subject: [PATCH][SMACK] add a socket_post_accept hook to fix netlabel issues with labeled TCP servers V1
Date: Tue, 24 Feb 2009 22:28:24 +0100	[thread overview]
Message-ID: <49A46678.1030803@numericable.fr> (raw)

hello,

Today, if  a  TCP server run with a SMACK non-ambient label, it will send labeled packets back to the client,
_even_ if the clients IP are in the /smack/netlabel "whitelist"
that's because "smack_socket_post_create" hook set labeled CIPSO packets unconditionnally
On connect, they are removed if the dest matches the /smack/netlabel

for ->accept, there is no such "feature"; if the client that just connect is in the /smack/netlabel,
SMACK send packeted label (although it shouldn't)
This breaks some applications (like sshd)


The following patch  adds a "post_access" hook to get the client IP and check it against the netlabel list. 
Please comment

regards,
Etienne

Signed-off-by: <etienne.basset@numericable.fr>
--
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index e6f89d6..74206db 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -27,6 +27,7 @@
 #include <net/netlabel.h>
 #include <net/cipso_ipv4.h>
 #include <linux/audit.h>
+#include <net/ipv6.h>
 
 #include "smack.h"
 
@@ -1566,6 +1567,78 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
 }
 
 /**
+ * smack_socket_post_access - post access check
+ * @sock: the socket
+ * @newsock : the grafted sock
+ *
+ * we have to match client IP against smack_host_label()
+ */
+static void  smack_socket_post_accept(struct socket *sock, struct socket *newsock)
+{
+	char *hostsp;
+	struct sockaddr_storage address;
+	struct sockaddr_in *sin;
+	struct sockaddr_in6 *sin6;
+	struct in6_addr *addr6;
+	struct socket_smack *ssp = newsock->sk->sk_security;
+	int len;
+
+	if (sock->sk == NULL)
+		return;
+
+	/* sockets can listen on both IPv4 & IPv6,
+	   and fallback to V4 if client is V4 */
+	if  (newsock->sk->sk_family != AF_INET && newsock->sk->sk_family != AF_INET6)
+		return;
+
+	/* get the client IP address **/
+	newsock->ops->getname(newsock, (struct sockaddr *)&address, &len, 2);
+
+	switch (newsock->sk->sk_family) {
+	case AF_INET:
+		sin = (struct sockaddr_in *)&address;
+		break;
+	case AF_INET6:
+		sin6  = (struct sockaddr_in6 *)&address;
+		addr6 = &sin6->sin6_addr;
+		/* if a V4 client connects to a V6 listening server,
+		 * we will get a IPV6_ADDR_MAPPED mapped address here
+		 * we have to handle this case too
+		 * the test below is ipv6_addr_type()== IPV6_ADDR_MAPPED
+		 * without the requirement to have IPv6 compiled in
+		 */
+		if ((addr6->s6_addr32[0] | addr6->s6_addr32[1]) == 0 &&
+				addr6->s6_addr32[2] == htonl(0x0000ffff)) {
+			__be32 addr = sin6->sin6_addr.s6_addr32[3];
+			__be16 port = sin6->sin6_port;
+			sin = (struct sockaddr_in *)&address;
+			sin->sin_family = AF_INET;
+			sin->sin_port = port;
+			sin->sin_addr.s_addr = addr;
+		} else {
+			/* standard IPv6, we'll send unlabeled */
+			smack_netlabel(newsock->sk, SMACK_UNLABELED_SOCKET);
+			return;
+		}
+		break;
+	default:
+		/** not possible to be there **/
+		return;
+	}
+	/* so, is there a label for the source IP **/
+	hostsp = smack_host_label(sin);
+
+	if (hostsp == NULL) {
+		if (ssp->smk_labeled != SMACK_CIPSO_SOCKET)
+			smack_netlabel(newsock->sk, SMACK_CIPSO_SOCKET);
+		return;
+	}
+	if (ssp->smk_labeled != SMACK_UNLABELED_SOCKET)
+		smack_netlabel(newsock->sk, SMACK_UNLABELED_SOCKET);
+	return;
+}
+
+/**
  * smack_flags_to_may - convert S_ to MAY_ values
  * @flags: the S_ value
  *
@@ -2906,6 +2979,7 @@ struct security_operations smack_ops = {
 
 	.socket_post_create = 		smack_socket_post_create,
 	.socket_connect =		smack_socket_connect,
+	.socket_post_accept =           smack_socket_post_accept,
 	.socket_sendmsg =		smack_socket_sendmsg,
 	.socket_sock_rcv_skb = 		smack_socket_sock_rcv_skb,
 	.socket_getpeersec_stream =	smack_socket_getpeersec_stream,
@@ -2936,7 +3010,7 @@ struct security_operations smack_ops = {
 };
 
 
-static __init init_smack_know_list(void)
+static __init void init_smack_know_list(void)
 {
 	list_add(&smack_known_huh.list, &smack_known_list);
 	list_add(&smack_known_hat.list, &smack_known_list);
@@ -2944,6 +3018,7 @@ static __init init_smack_know_list(void)
 	list_add(&smack_known_floor.list, &smack_known_list);
 	list_add(&smack_known_invalid.list, &smack_known_list);
 	list_add(&smack_known_web.list, &smack_known_list);
+	return;
 }
 
 /**

next             reply	other threads:[~2009-02-24 21:28 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-02-24 21:28 etienne [this message]
2009-02-24 21:49 ` [PATCH][SMACK] add a socket_post_accept hook to fix netlabel issueswith labeled TCP servers V1 Tetsuo Handa
2009-02-24 21:50 ` [PATCH][SMACK] add a socket_post_accept hook to fix netlabel issues with " Paul Moore
     [not found] <fa.eUdEnVYPYgnfwD9aw1dVY6gL1+E@ifi.uio.no>
     [not found] ` <fa.BogfdiS32WCl3kqw5KFzeBPP0jc@ifi.uio.no>
2009-02-24 22:20   ` etienne
2009-02-24 22:38     ` Paul Moore
2009-02-24 22:59       ` etienne
2009-02-24 23:36         ` Paul Moore
2009-02-25  3:28           ` Casey Schaufler
2009-02-25  6:28             ` etienne
2009-02-25  6:47           ` etienne
2009-02-25 17:21           ` Paul Moore
2009-02-25 23:40             ` etienne

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e6f89d6 dfblob:74206db )
 OR (
bs:"[PATCH][SMACK] add a socket_post_accept hook to fix netlabel issues with labeled TCP servers V1" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=49A46678.1030803@numericable.fr \
    --to=etienne.basset@numericable.fr \
    --cc=casey@schaufler-ca.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul.moore@hp.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.