[PATCH 34/97] NET: Remove scaffolding on secmarks
Casey Schaufler
casey at schaufler-ca.com
Thu Feb 28 22:18:30 UTC 2019
Replace the lsm_export scaffolding in xt_SECMARK.c
This raises an issue, in that Smack users have been
using SECMARK_MODE_SEL, which is suppoed to be exclusively
for SELinux. This is worked around in the code, but not
fully addressed.
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
net/netfilter/xt_SECMARK.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 2def8d8898e6..9a2a97c200a2 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -55,6 +55,7 @@ static int checkentry_lsm(struct xt_secmark_target_info *info)
info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
info->secid = 0;
+ lsm_export_init(&le);
err = security_secctx_to_secid(info->secctx, strlen(info->secctx), &le);
if (err) {
if (err == -EINVAL)
@@ -63,7 +64,12 @@ static int checkentry_lsm(struct xt_secmark_target_info *info)
return err;
}
- lsm_export_secid(&le, &info->secid);
+ /* Smack is cheating, using SECMARK_MODE_SEL */
+ if (le.selinux)
+ info->secid = le.selinux;
+ else
+ info->secid = le.smack;
+
if (!info->secid) {
pr_info_ratelimited("unable to map security context \'%s\'\n",
info->secctx);
--
2.17.0
More information about the Linux-security-module-archive
mailing list