From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932845AbbCYOsF (ORCPT <rfc822;w@1wt.eu>);
	Wed, 25 Mar 2015 10:48:05 -0400
Received: from smtp104.biz.mail.bf1.yahoo.com ([98.139.221.63]:35867 "EHLO
	smtp104.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1755150AbbCYOoR (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 25 Mar 2015 10:44:17 -0400
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: 7.IXjrQVM1mfHkD74nRBam0dOSm0pRizVt0GKKt7lWEdxuc
 HXO7aObWK3_SOmHbQM3KJC.TK.laUj32YS3SA9KWcXQemXYF0mn5Clyxhc0a
 pZ4R_Z3yNjzVcf9JO1xnW3SI1ljn5HHUG9t1AHMO39s7jKDQ98NnfDF86KP2
 3oxveZ45FZ3gaV8OSrDQt1hsKGp7IoyKSLTKg_nvgx1grrd1.UP7harQNJt8
 gLutq2fklHZSK6HOYpLi.X6394ATRz2zVgay_PO1N4D4rN6kGyyLiOI7kzxp
 XlmCZb3F4ts2vPSwmDJqWZzsxoqJOND6XSuq.B3Pssq7e0Adwi4SWv1cZqcm
 lTeLMA1oocFgGmuF_mivP4ScFMqNw6n4Wkp08M4wAsv9UQP7kxQSCLPk0.I4
 k2vvPSMxwC_UqQIAHlUb8YqLBMStX0cfYF5FQRVS7pfX4hOZNA_gXDz2Rf4_
 FzOzSE6lYqNyVFlMnJzULdT57leJoedkBfC44L4H4rDytbR5WFyqwPzWny0s
 qypDa4oqkl0ZGWvL2AD9gjoCA2ES74JgkrCNzhcvH0D2rTsJJWCVqLmB24ys
 VYXx0M5BK_2UgnXfebu5_N1fpSdVh85BPRP2rwI8rzsUV2xEm8M_8aPGbU2R
 TJlXis0Kn1kqK
X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw--
Message-ID: <5512C9BF.6020103@schaufler-ca.com>
Date: Wed, 25 Mar 2015 07:44:15 -0700
From: Casey Schaufler <casey@schaufler-ca.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Marcin Lis <m.lis@samsung.com>, James Morris <james.l.morris@oracle.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Rafal Krypa <r.krypa@samsung.com>,
        linux-security-module@vger.kernel.org
CC: linux-kernel@vger.kernel.org, Marcin Lis <marcin.lis.dev@gmail.com>
Subject: Re: [PATCH 1/1] Smack: Assign smack_known_web as default smk_in label
 for kernel thread's socket
References: <1421937633-2041-1-git-send-email-m.lis@samsung.com>
In-Reply-To: <1421937633-2041-1-git-send-email-m.lis@samsung.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 1/22/2015 6:40 AM, Marcin Lis wrote:
> This change fixes the bug associated with sockets owned by kernel threads. These
> sockets, created usually by network devices' drivers tasks, received smk_in
> label from the task that created them - the "floor" label in the most cases. The
> result was that they were not able to receive data packets because of missing
> smack rules. The main reason of the access deny is that the socket smk_in label
> is placed as the object during smk check, kernel thread's capabilities are
> omitted.
>
> Signed-off-by: Marcin Lis <m.lis@samsung.com>

Applied to git://git.gitorious.org/smack-next/kernel.git#smack-for-4.1

> ---
>  security/smack/smack_lsm.c |   15 ++++++++++++++-
>  1 file changed, 14 insertions(+), 1 deletion(-)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index a688f7b..535a06a 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -2452,7 +2452,20 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
>  static int smack_socket_post_create(struct socket *sock, int family,
>  				    int type, int protocol, int kern)
>  {
> -	if (family != PF_INET || sock->sk == NULL)
> +	struct socket_smack *ssp;
> +
> +	if (sock->sk == NULL)
> +		return 0;
> +
> +	/*
> +	 * Sockets created by kernel threads receive web label.
> +	 */
> +	if (unlikely(current->flags & PF_KTHREAD)) {
> +		ssp = sock->sk->sk_security;
> +		ssp->smk_in = &smack_known_web;
> +	}
> +
> +	if (family != PF_INET)
>  		return 0;
>  	/*
>  	 * Set the outbound netlbl.