[PATCH] (2.6.24-rc4-mm1) -mm Smack getpeercred_stream fix for SO_PEERSEC and TCP

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Casey Schaufler <casey@...>

To: <akpm@...>, <torvalds@...>

Cc: <linux-kernel@...>, <linux-security-module@...>

Subject: [PATCH] (2.6.24-rc4-mm1) -mm Smack getpeercred_stream fix for SO_PEERSEC and TCP

Date: Friday, December 7, 2007 - 4:57 pm

From: Casey Schaufler <casey@schaufler-ca.com>

Collect the Smack label of the other end on connection so that
getsockopt(..., SO_PEERSEC, ...) can report it. This is done
in smack_inet_conn_request(). Report the correct value in
smack_socket_getpeersec_stream(). Initialize the smk_packet
field in the socket blob. Comment on the purpose of smk_packet
in the header file and remove the unused smk_depth field from
the blob.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

---

 security/smack/smack.h     |    7 +++----
 security/smack/smack_lsm.c |   14 +++++++++++---
 2 files changed, 14 insertions(+), 7 deletions(-)

diff -uprN -X linux-2.6.24-rc4-mm1-base/Documentation/dontdiff linux-2.6.24-rc4-mm1-base/security/smack/smack.h linux-2.6.24-rc4-mm1-smack/security/smack/smack.h
--- linux-2.6.24-rc4-mm1-base/security/smack/smack.h	2007-12-04 19:20:59.000000000 -0800
+++ linux-2.6.24-rc4-mm1-smack/security/smack/smack.h	2007-12-07 09:25:16.000000000 -0800
@@ -44,10 +44,9 @@ struct superblock_smack {
 };
 
 struct socket_smack {
-	char		*smk_out;	/* outbound label */
-	char		*smk_in;	/* inbound label */
-	char		smk_packet[SMK_LABELLEN];
-	int		smk_depth;
+	char		*smk_out;			/* outbound label */
+	char		*smk_in;			/* inbound label */
+	char		smk_packet[SMK_LABELLEN];	/* TCP peer label */
 };
 
 /*
diff -uprN -X linux-2.6.24-rc4-mm1-base/Documentation/dontdiff linux-2.6.24-rc4-mm1-base/security/smack/smack_lsm.c linux-2.6.24-rc4-mm1-smack/security/smack/smack_lsm.c
--- linux-2.6.24-rc4-mm1-base/security/smack/smack_lsm.c	2007-12-04 19:20:59.000000000 -0800
+++ linux-2.6.24-rc4-mm1-smack/security/smack/smack_lsm.c	2007-12-07 11:10:58.000000000 -0800
@@ -1232,6 +1232,7 @@ static int smack_sk_alloc_security(struc
 
 	ssp->smk_in = csp;
 	ssp->smk_out = csp;
+	ssp->smk_packet[0] = '\0';
 
 	sk->sk_security = ssp;
 
@@ -2115,11 +2116,11 @@ static int smack_socket_getpeersec_strea
 	int rc = 0;
 
 	ssp = sock->sk->sk_security;
-	slen = strlen(ssp->smk_out);
+	slen = strlen(ssp->smk_packet) + 1;
 
 	if (slen > len)
 		rc = -ERANGE;
-	else if (copy_to_user(optval, ssp->smk_out, slen) != 0)
+	else if (copy_to_user(optval, ssp->smk_packet, slen) != 0)
 		rc = -EFAULT;
 
 	if (put_user(slen, optlen) != 0)
@@ -2251,8 +2252,15 @@ static int smack_inet_conn_request(struc
 	/*
 	 * Receiving a packet requires that the other end
 	 * be able to write here. Read access is not required.
+	 *
+	 * If the request is successful save the peer's label
+	 * so that SO_PEERCRED can report it.
 	 */
-	return smk_access(smack, ssp->smk_in, MAY_WRITE);
+	rc = smk_access(smack, ssp->smk_in, MAY_WRITE);
+	if (rc == 0)
+		strncpy(ssp->smk_packet, smack, SMK_MAXLEN);
+
+	return rc;
 }
 
 /*

--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH] (2.6.24-rc4-mm1) -mm Smack getpeercred_stream fix fo..., Casey Schaufler, (Fri Dec 7, 4:57 pm)


linux-kernel:
Junio C Hamano	[ANNOUNCE] GIT 1.6.0
Linus Torvalds	Re: [ANNOUNCE] mdb: Merkey's Linux Kernel Debugger 2.6.27-rc4 released
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
Paul Menage	Re: [RFC][PATCH 6/7] Account for the number of tasks within container
git:
Nicolas Pitre	Re: pack operation is thrashing my server
Scott Chacon	Git Community Book
Greg KH	Re: [ANNOUNCE] pg - A patch porcelain for GIT
Lars Hjemli	[PATCH] git-merge: add option --no-ff
openbsd-misc:
GVG GVG	ssh_exchange_identification: Connection closed by remote host
Nick Guenther	Re: Real men don't attack straw men
Travers Buda	Re: Important OpenBSD errata
Gregory Edigarov	How to re-build openssl with SHA1 support?
linux-fsdevel:
Al Boldi	[RFC] VM: I have a dream...
Dave Kleikamp	Re: [RFC] Heads up on sys_fallocate()
Jörn	Review status (Re: [PATCH] LogFS take three)
Chris Mason	[ANNOUNCE] Btrfs v0.12 released


How to make initramfs smaller	2 hours ago	Linux kernel
How to exec user process in kernel mode.	4 hours ago	Linux kernel
how to check if a given block device is in use?	5 hours ago	Linux kernel
[IPSEC]IPSEC_MANUAL_REQID_MAX	3 days ago	Linux kernel
help in UDP catching module..	4 days ago	Linux kernel
Is there anything like Real-time drivers?	5 days ago	Linux general
ns16550 serail console in Linux 2.6.19	5 days ago	Linux general
what class should i use to register my devices	6 days ago	Linux kernel
reset bios pasword toshiba	6 days ago	Hardware
Analysis of Process Scheduling	1 week ago	Linux kernel

[PATCH] (2.6.24-rc4-mm1) -mm Smack getpeercred_stream fix for SO_PEERSEC and TCP

Online users