[PATCH RFC] Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets
Piotr Sawicki
p.sawicki2 at partner.samsung.com
Wed Jul 11 07:38:15 UTC 2018
On 07/10/2018 06:16 PM, Casey Schaufler wrote:
> On 7/10/2018 8:44 AM, Piotr Sawicki wrote:
>> On 07/10/2018 05:21 PM, Casey Schaufler wrote:
>>> On 7/10/2018 12:05 AM, Piotr Sawicki wrote:
>>>> A socket which has sk_family set to PF_INET6 is able to receive not
>>>> only IPv6 but also IPv4 traffic (IPv4-mapped IPv6 addresses).
>>>>
>>>> Prior to this patch, the smk_skb_to_addr_ipv6() could have been
>>>> called for socket buffers containing IPv4 packets, in result such
>>>> traffic was allowed.
>>>>
>>>> Signed-off-by: Piotr Sawicki <p.sawicki2 at partner.samsung.com>
>>> Looks fine from here. Do you have a simple test case?
>>
>> Yes, I've tested it on Tizen emulator.
>>
>> Tests are available here
>> https://review.tizen.org/gerrit/#/admin/projects/platform/core/test/security-tests,
>> branch nether.
>
> Can you identify the specific test? There's quite a bit to look through.
> Thank you.
ID:NETHER_IPV6_IPV4_LOCAL_INTER_APP_CONNECTION:nether_check_ipv6_srv_ipv4_udp_local_inter_app_connection_internet_access_granted
ID:NETHER_IPV6_IPV4_LOCAL_INTER_APP_CONNECTION:nether_check_ipv6_srv_ipv4_udp_local_inter_app_connection_internet_access_denied
It's a new thing, so tests are still in review:
https://review.tizen.org/gerrit/#/c/183458/
To run the tests on the emulator you need to apply also these patches:
(Nether) https://review.tizen.org/gerrit/#/c/183464/ and turn on IPv6
connection tracking in the kernel. I've used a kernel downloaded from
https://review.tizen.org/gerrit/#/admin/projects/sdk/emulator/emulator-kernel
branch tizen.
I know that these tests are Tizen specific, and it might be really time
consuming to prepare an environment for them. So, I propose to just use
the netcat tool and run one of its instances as a UDP server listening
on IPv6 address [::] and the second one as a IPV4 client.
e.g.
server: nc -6 -l -u 20000
client: nc -u 127.0.0.1 20000
In case of TCP connections, access is properly checked in
smack_inet_conn_request(). But when IPv4-mapped IPv6 addresses are used
and two processes have write access to each other,
smack_socket_sock_rcv_skb() will call smk_skb_to_addr_ipv6() function
for IPv4 packets.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list