SMACK LSM checks wrong object label during ingress network traffic
Casey Schaufler
casey at schaufler-ca.com
Thu Sep 1 16:26:25 UTC 2022
On 9/1/2022 1:40 AM, Lontke, Michael wrote:
> ...
> Thank you for your feedback. If your tests are successful you can add
>
> Signed-off-by: Michael Lontke <michael.lontke at elektrobit.com>
> Co-authored-by: Martin Ostertag <martin.ostertag at elektrobit.com>
>
> to the patch.
Everything looks fine. I have added the patch to
https://github.com/cschaufler/smack-next#next
for inclusion in the v6.1 Linux kernel. Thank you.
>
>>> From: Lontke Michael <michael.lontke at elektrobit.com>
>>> Date: Wed, 31 Aug 2022 14:03:26 +0200
>>> Subject: [PATCH] SMACK: Add sk_clone_security LSM hook
>>>
>>> Using smk_of_current() during sk_alloc_security hook leads in rare
>>> cases
>>> to a faulty initialization of the security context of the created
>>> socket.
>>>
>>> By adding the LSM hook sk_clone_security to SMACK this
>>> initialization
>>> fault is corrected by copying the security context of the old
>>> socket
>>> pointer to the newly cloned one.
>>> ---
>>> security/smack/smack_lsm.c | 16 ++++++++++++++++
>>> 1 file changed, 16 insertions(+)
>>>
>>> diff --git a/security/smack/smack_lsm.c
>>> b/security/smack/smack_lsm.c
>>> index 286171a16ed2..8eb47396376f 100644
>>> --- a/security/smack/smack_lsm.c
>>> +++ b/security/smack/smack_lsm.c
>>> @@ -2348,6 +2348,21 @@ static void smack_sk_free_security(struct
>>> sock
>>> *sk)
>>> kfree(sk->sk_security);
>>> }
>>>
>>> +/**
>>> + * smack_sk_clone_security - Copy security context
>>> + * @sk: the old socket
>>> + * @newsk: the new socket
>>> + *
>>> + * Copy the security context of the old socket pointer to the
>>> cloned
>>> + */
>>> +static void smack_sk_clone_security(const struct sock *sk, struct
>>> sock
>>> *newsk)
>>> +{
>>> + struct socket_smack *ssp_old = sk->sk_security;
>>> + struct socket_smack *ssp_new = newsk->sk_security;
>>> +
>>> + *ssp_new = *ssp_old;
>>> +}
>>> +
>>> /**
>>> * smack_ipv4host_label - check host based restrictions
>>> * @sip: the object end
>>> @@ -4710,6 +4725,7 @@ static struct security_hook_list
>>> smack_hooks[]
>>> __lsm_ro_after_init = {
>>> LSM_HOOK_INIT(socket_getpeersec_dgram,
>>> smack_socket_getpeersec_dgram),
>>> LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security),
>>> LSM_HOOK_INIT(sk_free_security, smack_sk_free_security),
>>> + LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security),
>>> LSM_HOOK_INIT(sock_graft, smack_sock_graft),
>>> LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request),
>>> LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone),
More information about the Linux-security-module-archive
mailing list