Linux Security Modules development
 help / color / mirror / Atom feed
* [PATCH] Smack: Fix IPv6 handling of 0 secmark
@ 2019-04-03 22:01 Casey Schaufler
  0 siblings, 0 replies; only message in thread
From: Casey Schaufler @ 2019-04-03 22:01 UTC (permalink / raw)
  To: casey, linux-security-module, SMACK-discuss

Handle the case where the skb for an IPv6 packet contains
a 0 in the secmark for a packet generated locally. This
can only happen for system packets, so allow the access.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/smack/smack_lsm.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index bd45c9139d34..b9abcdb36a73 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3907,6 +3907,8 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 #ifdef SMACK_IPV6_SECMARK_LABELING
 		if (skb && skb->secmark != 0)
 			skp = smack_from_secid(skb->secmark);
+		else if (smk_ipv6_localhost(&sadd))
+			break;
 		else
 			skp = smack_ipv6host_label(&sadd);
 		if (skp == NULL)
-- 
2.19.1


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2019-04-03 22:01 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-03 22:01 [PATCH] Smack: Fix IPv6 handling of 0 secmark Casey Schaufler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox