Re: [PATCH] (02/15/08 Linus git) Smack unlabeled outgoing ambient packets - v4
--- Paul Moore <[EMAIL PROTECTED]> wrote: > On Friday 15 February 2008 6:24:25 pm Casey Schaufler wrote: > > From: Casey Schaufler <[EMAIL PROTECTED]> > > > > Smack uses CIPSO labeling, but allows for unlabeled packets > > by specifying an "ambient" label that is applied to incoming > > unlabeled packets. Because the other end of the connection > > may dislike IP options, and ssh is one know application that > > behaves thus, it is prudent to respond in kind. This patch > > changes the network labeling behavior such that an outgoing > > packet that would be given a CIPSO label that matches the > > ambient label is left unlabeled. An "unlbl" domain is added > > and the netlabel defaulting mechanism invoked rather than > > assuming that everything is CIPSO. Locking has been added > > around changes to the ambient label as the mechanisms used > > to do so are more involved. > > > > Cleaned up some issues noted in review. > > Make smk_cipso_doi() static. > > Create a hook for the new security_secctx_to_secid() > > using existing underlying code. > > Fill in audit data for netlbl domain calls. > > Collapse unnecessary multiple assignments. > > > > Signed-off-by: Casey Schaufler <[EMAIL PROTECTED]> > > Looks good to me, thanks for making those changes. > > Acked-by: Paul Moore <[EMAIL PROTECTED]> Thank you for the insights. Casey Schaufler [EMAIL PROTECTED] -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] (02/15/08 Linus git) Smack unlabeled outgoing ambient packets - v4
On Friday 15 February 2008 6:24:25 pm Casey Schaufler wrote: > From: Casey Schaufler <[EMAIL PROTECTED]> > > Smack uses CIPSO labeling, but allows for unlabeled packets > by specifying an "ambient" label that is applied to incoming > unlabeled packets. Because the other end of the connection > may dislike IP options, and ssh is one know application that > behaves thus, it is prudent to respond in kind. This patch > changes the network labeling behavior such that an outgoing > packet that would be given a CIPSO label that matches the > ambient label is left unlabeled. An "unlbl" domain is added > and the netlabel defaulting mechanism invoked rather than > assuming that everything is CIPSO. Locking has been added > around changes to the ambient label as the mechanisms used > to do so are more involved. > > Cleaned up some issues noted in review. > Make smk_cipso_doi() static. > Create a hook for the new security_secctx_to_secid() > using existing underlying code. > Fill in audit data for netlbl domain calls. > Collapse unnecessary multiple assignments. > > Signed-off-by: Casey Schaufler <[EMAIL PROTECTED]> Looks good to me, thanks for making those changes. Acked-by: Paul Moore <[EMAIL PROTECTED]> > --- > > security/smack/smack_lsm.c | 36 > security/smack/smackfs.c | 61 ++- > 2 files changed, 74 insertions(+), 23 deletions(-) > > diff -uprN -X linux-2.6.25-g0215-base//Documentation/dontdiff > linux-2.6.25-g0215-base/security/smack/smackfs.c > linux-2.6.25-g0215/security/smack/smackfs.c --- > linux-2.6.25-g0215-base/security/smack/smackfs.c 2008-02-15 > 14:25:37.0 -0800 +++ > linux-2.6.25-g0215/security/smack/smackfs.c 2008-02-15 14:30:36.0 > -0800 @@ -24,6 +24,7 @@ > #include > #include > #include > +#include > #include "smack.h" > > /* > @@ -45,6 +46,7 @@ enum smk_inos { > */ > static DEFINE_MUTEX(smack_list_lock); > static DEFINE_MUTEX(smack_cipso_lock); > +static DEFINE_MUTEX(smack_ambient_lock); > > /* > * This is the "ambient" label for network traffic. > @@ -342,6 +344,9 @@ void smk_cipso_doi(void) > struct cipso_v4_doi *doip; > struct netlbl_audit audit_info; > > + audit_info.loginuid = audit_get_loginuid(current); > + audit_info.secid = smack_to_secid(current->security); > + > rc = netlbl_cfg_map_del(NULL, _info); > if (rc != 0) > printk(KERN_WARNING "%s:%d remove rc = %d\n", > @@ -363,6 +368,30 @@ void smk_cipso_doi(void) > __func__, __LINE__, rc); > } > > +/** > + * smk_unlbl_ambient - initialize the unlabeled domain > + */ > +void smk_unlbl_ambient(char *oldambient) > +{ > + int rc; > + struct netlbl_audit audit_info; > + > + audit_info.loginuid = audit_get_loginuid(current); > + audit_info.secid = smack_to_secid(current->security); > + > + if (oldambient != NULL) { > + rc = netlbl_cfg_map_del(oldambient, _info); > + if (rc != 0) > + printk(KERN_WARNING "%s:%d remove rc = %d\n", > +__func__, __LINE__, rc); > + } > + > + rc = netlbl_cfg_unlbl_add_map(smack_net_ambient, _info); > + if (rc != 0) > + printk(KERN_WARNING "%s:%d add rc = %d\n", > +__func__, __LINE__, rc); > +} > + > /* > * Seq_file read operations for /smack/cipso > */ > @@ -709,7 +738,6 @@ static ssize_t smk_read_ambient(struct f > size_t cn, loff_t *ppos) > { > ssize_t rc; > - char out[SMK_LABELLEN]; > int asize; > > if (*ppos != 0) > @@ -717,23 +745,18 @@ static ssize_t smk_read_ambient(struct f > /* >* Being careful to avoid a problem in the case where >* smack_net_ambient gets changed in midstream. > - * Since smack_net_ambient is always set with a value > - * from the label list, including initially, and those > - * never get freed, the worst case is that the pointer > - * gets changed just after this strncpy, in which case > - * the value passed up is incorrect. Locking around > - * smack_net_ambient wouldn't be any better than this > - * copy scheme as by the time the caller got to look > - * at the ambient value it would have cleared the lock > - * and been changed. >*/ > - strncpy(out, smack_net_ambient, SMK_LABELLEN); > - asize = strlen(out) + 1; > + mutex_lock(_ambient_lock); > > - if (cn < asize) > - return -EINVAL; > + asize = strlen(smack_net_ambient) + 1; > + > + if (cn >= asize) > + rc = simple_read_from_buffer(buf, cn, ppos, > + smack_net_ambient, asize); > + else > + rc = -EINVAL; > > - rc = simple_read_from_buffer(buf, cn, ppos, out, asize); > + mutex_unlock(_ambient_lock); > > return rc; > } > @@ -751,6 +774,7 @@ static ssize_t smk_write_ambient(struct >
[PATCH] (02/15/08 Linus git) Smack unlabeled outgoing ambient packets - v4
From: Casey Schaufler <[EMAIL PROTECTED]> Smack uses CIPSO labeling, but allows for unlabeled packets by specifying an "ambient" label that is applied to incoming unlabeled packets. Because the other end of the connection may dislike IP options, and ssh is one know application that behaves thus, it is prudent to respond in kind. This patch changes the network labeling behavior such that an outgoing packet that would be given a CIPSO label that matches the ambient label is left unlabeled. An "unlbl" domain is added and the netlabel defaulting mechanism invoked rather than assuming that everything is CIPSO. Locking has been added around changes to the ambient label as the mechanisms used to do so are more involved. Cleaned up some issues noted in review. Make smk_cipso_doi() static. Create a hook for the new security_secctx_to_secid() using existing underlying code. Fill in audit data for netlbl domain calls. Collapse unnecessary multiple assignments. Signed-off-by: Casey Schaufler <[EMAIL PROTECTED]> --- security/smack/smack_lsm.c | 36 security/smack/smackfs.c | 61 ++- 2 files changed, 74 insertions(+), 23 deletions(-) diff -uprN -X linux-2.6.25-g0215-base//Documentation/dontdiff linux-2.6.25-g0215-base/security/smack/smackfs.c linux-2.6.25-g0215/security/smack/smackfs.c --- linux-2.6.25-g0215-base/security/smack/smackfs.c2008-02-15 14:25:37.0 -0800 +++ linux-2.6.25-g0215/security/smack/smackfs.c 2008-02-15 14:30:36.0 -0800 @@ -24,6 +24,7 @@ #include #include #include +#include #include "smack.h" /* @@ -45,6 +46,7 @@ enum smk_inos { */ static DEFINE_MUTEX(smack_list_lock); static DEFINE_MUTEX(smack_cipso_lock); +static DEFINE_MUTEX(smack_ambient_lock); /* * This is the "ambient" label for network traffic. @@ -342,6 +344,9 @@ void smk_cipso_doi(void) struct cipso_v4_doi *doip; struct netlbl_audit audit_info; + audit_info.loginuid = audit_get_loginuid(current); + audit_info.secid = smack_to_secid(current->security); + rc = netlbl_cfg_map_del(NULL, _info); if (rc != 0) printk(KERN_WARNING "%s:%d remove rc = %d\n", @@ -363,6 +368,30 @@ void smk_cipso_doi(void) __func__, __LINE__, rc); } +/** + * smk_unlbl_ambient - initialize the unlabeled domain + */ +void smk_unlbl_ambient(char *oldambient) +{ + int rc; + struct netlbl_audit audit_info; + + audit_info.loginuid = audit_get_loginuid(current); + audit_info.secid = smack_to_secid(current->security); + + if (oldambient != NULL) { + rc = netlbl_cfg_map_del(oldambient, _info); + if (rc != 0) + printk(KERN_WARNING "%s:%d remove rc = %d\n", + __func__, __LINE__, rc); + } + + rc = netlbl_cfg_unlbl_add_map(smack_net_ambient, _info); + if (rc != 0) + printk(KERN_WARNING "%s:%d add rc = %d\n", + __func__, __LINE__, rc); +} + /* * Seq_file read operations for /smack/cipso */ @@ -709,7 +738,6 @@ static ssize_t smk_read_ambient(struct f size_t cn, loff_t *ppos) { ssize_t rc; - char out[SMK_LABELLEN]; int asize; if (*ppos != 0) @@ -717,23 +745,18 @@ static ssize_t smk_read_ambient(struct f /* * Being careful to avoid a problem in the case where * smack_net_ambient gets changed in midstream. -* Since smack_net_ambient is always set with a value -* from the label list, including initially, and those -* never get freed, the worst case is that the pointer -* gets changed just after this strncpy, in which case -* the value passed up is incorrect. Locking around -* smack_net_ambient wouldn't be any better than this -* copy scheme as by the time the caller got to look -* at the ambient value it would have cleared the lock -* and been changed. */ - strncpy(out, smack_net_ambient, SMK_LABELLEN); - asize = strlen(out) + 1; + mutex_lock(_ambient_lock); - if (cn < asize) - return -EINVAL; + asize = strlen(smack_net_ambient) + 1; + + if (cn >= asize) + rc = simple_read_from_buffer(buf, cn, ppos, +smack_net_ambient, asize); + else + rc = -EINVAL; - rc = simple_read_from_buffer(buf, cn, ppos, out, asize); + mutex_unlock(_ambient_lock); return rc; } @@ -751,6 +774,7 @@ static ssize_t smk_write_ambient(struct size_t count, loff_t *ppos) { char in[SMK_LABELLEN]; + char *oldambient; char *smack; if (!capable(CAP_MAC_ADMIN)) @@ -766,7 +790,13 @@ static ssize_t smk_write_ambient(struct if (smack == NULL) return -EINVAL; + mutex_lock(_ambient_lock); + + oldambient =
[PATCH] (02/15/08 Linus git) Smack unlabeled outgoing ambient packets - v4
From: Casey Schaufler [EMAIL PROTECTED] Smack uses CIPSO labeling, but allows for unlabeled packets by specifying an ambient label that is applied to incoming unlabeled packets. Because the other end of the connection may dislike IP options, and ssh is one know application that behaves thus, it is prudent to respond in kind. This patch changes the network labeling behavior such that an outgoing packet that would be given a CIPSO label that matches the ambient label is left unlabeled. An unlbl domain is added and the netlabel defaulting mechanism invoked rather than assuming that everything is CIPSO. Locking has been added around changes to the ambient label as the mechanisms used to do so are more involved. Cleaned up some issues noted in review. Make smk_cipso_doi() static. Create a hook for the new security_secctx_to_secid() using existing underlying code. Fill in audit data for netlbl domain calls. Collapse unnecessary multiple assignments. Signed-off-by: Casey Schaufler [EMAIL PROTECTED] --- security/smack/smack_lsm.c | 36 security/smack/smackfs.c | 61 ++- 2 files changed, 74 insertions(+), 23 deletions(-) diff -uprN -X linux-2.6.25-g0215-base//Documentation/dontdiff linux-2.6.25-g0215-base/security/smack/smackfs.c linux-2.6.25-g0215/security/smack/smackfs.c --- linux-2.6.25-g0215-base/security/smack/smackfs.c2008-02-15 14:25:37.0 -0800 +++ linux-2.6.25-g0215/security/smack/smackfs.c 2008-02-15 14:30:36.0 -0800 @@ -24,6 +24,7 @@ #include net/cipso_ipv4.h #include linux/seq_file.h #include linux/ctype.h +#include linux/audit.h #include smack.h /* @@ -45,6 +46,7 @@ enum smk_inos { */ static DEFINE_MUTEX(smack_list_lock); static DEFINE_MUTEX(smack_cipso_lock); +static DEFINE_MUTEX(smack_ambient_lock); /* * This is the ambient label for network traffic. @@ -342,6 +344,9 @@ void smk_cipso_doi(void) struct cipso_v4_doi *doip; struct netlbl_audit audit_info; + audit_info.loginuid = audit_get_loginuid(current); + audit_info.secid = smack_to_secid(current-security); + rc = netlbl_cfg_map_del(NULL, audit_info); if (rc != 0) printk(KERN_WARNING %s:%d remove rc = %d\n, @@ -363,6 +368,30 @@ void smk_cipso_doi(void) __func__, __LINE__, rc); } +/** + * smk_unlbl_ambient - initialize the unlabeled domain + */ +void smk_unlbl_ambient(char *oldambient) +{ + int rc; + struct netlbl_audit audit_info; + + audit_info.loginuid = audit_get_loginuid(current); + audit_info.secid = smack_to_secid(current-security); + + if (oldambient != NULL) { + rc = netlbl_cfg_map_del(oldambient, audit_info); + if (rc != 0) + printk(KERN_WARNING %s:%d remove rc = %d\n, + __func__, __LINE__, rc); + } + + rc = netlbl_cfg_unlbl_add_map(smack_net_ambient, audit_info); + if (rc != 0) + printk(KERN_WARNING %s:%d add rc = %d\n, + __func__, __LINE__, rc); +} + /* * Seq_file read operations for /smack/cipso */ @@ -709,7 +738,6 @@ static ssize_t smk_read_ambient(struct f size_t cn, loff_t *ppos) { ssize_t rc; - char out[SMK_LABELLEN]; int asize; if (*ppos != 0) @@ -717,23 +745,18 @@ static ssize_t smk_read_ambient(struct f /* * Being careful to avoid a problem in the case where * smack_net_ambient gets changed in midstream. -* Since smack_net_ambient is always set with a value -* from the label list, including initially, and those -* never get freed, the worst case is that the pointer -* gets changed just after this strncpy, in which case -* the value passed up is incorrect. Locking around -* smack_net_ambient wouldn't be any better than this -* copy scheme as by the time the caller got to look -* at the ambient value it would have cleared the lock -* and been changed. */ - strncpy(out, smack_net_ambient, SMK_LABELLEN); - asize = strlen(out) + 1; + mutex_lock(smack_ambient_lock); - if (cn asize) - return -EINVAL; + asize = strlen(smack_net_ambient) + 1; + + if (cn = asize) + rc = simple_read_from_buffer(buf, cn, ppos, +smack_net_ambient, asize); + else + rc = -EINVAL; - rc = simple_read_from_buffer(buf, cn, ppos, out, asize); + mutex_unlock(smack_ambient_lock); return rc; } @@ -751,6 +774,7 @@ static ssize_t smk_write_ambient(struct size_t count, loff_t *ppos) { char in[SMK_LABELLEN]; + char *oldambient; char *smack; if (!capable(CAP_MAC_ADMIN)) @@ -766,7 +790,13 @@ static ssize_t smk_write_ambient(struct if (smack == NULL) return -EINVAL; +
Re: [PATCH] (02/15/08 Linus git) Smack unlabeled outgoing ambient packets - v4
On Friday 15 February 2008 6:24:25 pm Casey Schaufler wrote: From: Casey Schaufler [EMAIL PROTECTED] Smack uses CIPSO labeling, but allows for unlabeled packets by specifying an ambient label that is applied to incoming unlabeled packets. Because the other end of the connection may dislike IP options, and ssh is one know application that behaves thus, it is prudent to respond in kind. This patch changes the network labeling behavior such that an outgoing packet that would be given a CIPSO label that matches the ambient label is left unlabeled. An unlbl domain is added and the netlabel defaulting mechanism invoked rather than assuming that everything is CIPSO. Locking has been added around changes to the ambient label as the mechanisms used to do so are more involved. Cleaned up some issues noted in review. Make smk_cipso_doi() static. Create a hook for the new security_secctx_to_secid() using existing underlying code. Fill in audit data for netlbl domain calls. Collapse unnecessary multiple assignments. Signed-off-by: Casey Schaufler [EMAIL PROTECTED] Looks good to me, thanks for making those changes. Acked-by: Paul Moore [EMAIL PROTECTED] --- security/smack/smack_lsm.c | 36 security/smack/smackfs.c | 61 ++- 2 files changed, 74 insertions(+), 23 deletions(-) diff -uprN -X linux-2.6.25-g0215-base//Documentation/dontdiff linux-2.6.25-g0215-base/security/smack/smackfs.c linux-2.6.25-g0215/security/smack/smackfs.c --- linux-2.6.25-g0215-base/security/smack/smackfs.c 2008-02-15 14:25:37.0 -0800 +++ linux-2.6.25-g0215/security/smack/smackfs.c 2008-02-15 14:30:36.0 -0800 @@ -24,6 +24,7 @@ #include net/cipso_ipv4.h #include linux/seq_file.h #include linux/ctype.h +#include linux/audit.h #include smack.h /* @@ -45,6 +46,7 @@ enum smk_inos { */ static DEFINE_MUTEX(smack_list_lock); static DEFINE_MUTEX(smack_cipso_lock); +static DEFINE_MUTEX(smack_ambient_lock); /* * This is the ambient label for network traffic. @@ -342,6 +344,9 @@ void smk_cipso_doi(void) struct cipso_v4_doi *doip; struct netlbl_audit audit_info; + audit_info.loginuid = audit_get_loginuid(current); + audit_info.secid = smack_to_secid(current-security); + rc = netlbl_cfg_map_del(NULL, audit_info); if (rc != 0) printk(KERN_WARNING %s:%d remove rc = %d\n, @@ -363,6 +368,30 @@ void smk_cipso_doi(void) __func__, __LINE__, rc); } +/** + * smk_unlbl_ambient - initialize the unlabeled domain + */ +void smk_unlbl_ambient(char *oldambient) +{ + int rc; + struct netlbl_audit audit_info; + + audit_info.loginuid = audit_get_loginuid(current); + audit_info.secid = smack_to_secid(current-security); + + if (oldambient != NULL) { + rc = netlbl_cfg_map_del(oldambient, audit_info); + if (rc != 0) + printk(KERN_WARNING %s:%d remove rc = %d\n, +__func__, __LINE__, rc); + } + + rc = netlbl_cfg_unlbl_add_map(smack_net_ambient, audit_info); + if (rc != 0) + printk(KERN_WARNING %s:%d add rc = %d\n, +__func__, __LINE__, rc); +} + /* * Seq_file read operations for /smack/cipso */ @@ -709,7 +738,6 @@ static ssize_t smk_read_ambient(struct f size_t cn, loff_t *ppos) { ssize_t rc; - char out[SMK_LABELLEN]; int asize; if (*ppos != 0) @@ -717,23 +745,18 @@ static ssize_t smk_read_ambient(struct f /* * Being careful to avoid a problem in the case where * smack_net_ambient gets changed in midstream. - * Since smack_net_ambient is always set with a value - * from the label list, including initially, and those - * never get freed, the worst case is that the pointer - * gets changed just after this strncpy, in which case - * the value passed up is incorrect. Locking around - * smack_net_ambient wouldn't be any better than this - * copy scheme as by the time the caller got to look - * at the ambient value it would have cleared the lock - * and been changed. */ - strncpy(out, smack_net_ambient, SMK_LABELLEN); - asize = strlen(out) + 1; + mutex_lock(smack_ambient_lock); - if (cn asize) - return -EINVAL; + asize = strlen(smack_net_ambient) + 1; + + if (cn = asize) + rc = simple_read_from_buffer(buf, cn, ppos, + smack_net_ambient, asize); + else + rc = -EINVAL; - rc = simple_read_from_buffer(buf, cn, ppos, out, asize); + mutex_unlock(smack_ambient_lock); return rc; } @@ -751,6 +774,7 @@ static ssize_t smk_write_ambient(struct size_t count, loff_t *ppos) { char
Re: [PATCH] (02/15/08 Linus git) Smack unlabeled outgoing ambient packets - v4
--- Paul Moore [EMAIL PROTECTED] wrote: On Friday 15 February 2008 6:24:25 pm Casey Schaufler wrote: From: Casey Schaufler [EMAIL PROTECTED] Smack uses CIPSO labeling, but allows for unlabeled packets by specifying an ambient label that is applied to incoming unlabeled packets. Because the other end of the connection may dislike IP options, and ssh is one know application that behaves thus, it is prudent to respond in kind. This patch changes the network labeling behavior such that an outgoing packet that would be given a CIPSO label that matches the ambient label is left unlabeled. An unlbl domain is added and the netlabel defaulting mechanism invoked rather than assuming that everything is CIPSO. Locking has been added around changes to the ambient label as the mechanisms used to do so are more involved. Cleaned up some issues noted in review. Make smk_cipso_doi() static. Create a hook for the new security_secctx_to_secid() using existing underlying code. Fill in audit data for netlbl domain calls. Collapse unnecessary multiple assignments. Signed-off-by: Casey Schaufler [EMAIL PROTECTED] Looks good to me, thanks for making those changes. Acked-by: Paul Moore [EMAIL PROTECTED] Thank you for the insights. Casey Schaufler [EMAIL PROTECTED] -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/