[PATCH 3.16.y-ckt 065/126] net: Reset secmark when scrubbing packet
3.16.7-ckt5 -stable review patch. If anyone has any objections, please let me know. -- From: Thomas Graf commit b8fb4e0648a2ab3734140342002f68fb0c7d1602 upstream. skb_scrub_packet() is called when a packet switches between a context such as between underlay and overlay, between namespaces, or between L3 subnets. While we already scrub the packet mark, connection tracking entry, and cached destination, the security mark/context is left intact. It seems wrong to inherit the security context of a packet when going from overlay to underlay or across forwarding paths. Signed-off-by: Thomas Graf Acked-by: Flavio Leitner Signed-off-by: David S. Miller Signed-off-by: Luis Henriques --- net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index f5f14d54d6a2..fe07faaed256 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -3933,6 +3933,7 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet) skb->ignore_df = 0; skb_dst_drop(skb); skb->mark = 0; + skb_init_secmark(skb); secpath_reset(skb); nf_reset(skb); nf_reset_trace(skb); -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.16.y-ckt 065/126] net: Reset secmark when scrubbing packet
3.16.7-ckt5 -stable review patch. If anyone has any objections, please let me know. -- From: Thomas Graf tg...@suug.ch commit b8fb4e0648a2ab3734140342002f68fb0c7d1602 upstream. skb_scrub_packet() is called when a packet switches between a context such as between underlay and overlay, between namespaces, or between L3 subnets. While we already scrub the packet mark, connection tracking entry, and cached destination, the security mark/context is left intact. It seems wrong to inherit the security context of a packet when going from overlay to underlay or across forwarding paths. Signed-off-by: Thomas Graf tg...@suug.ch Acked-by: Flavio Leitner f...@sysclose.org Signed-off-by: David S. Miller da...@davemloft.net Signed-off-by: Luis Henriques luis.henriq...@canonical.com --- net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index f5f14d54d6a2..fe07faaed256 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -3933,6 +3933,7 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet) skb-ignore_df = 0; skb_dst_drop(skb); skb-mark = 0; + skb_init_secmark(skb); secpath_reset(skb); nf_reset(skb); nf_reset_trace(skb); -- 2.1.4 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
