[PATCH] smack: dont compile ipv6 code unless ipv6 is configured
Casey Schaufler
casey at schaufler-ca.com
Wed Feb 19 21:51:34 UTC 2025
On 1/17/2025 8:36 AM, Konstantin Andreev wrote:
> I want to be sure that ipv6-specific code
> is not compiled in kernel binaries
> if ipv6 is not configured.
>
> [1] was getting rid of "unused variable" warning, but,
> with that, it also mandated compilation of a handful ipv6-
> specific functions in ipv4-only kernel configurations:
>
> smk_ipv6_localhost, smack_ipv6host_label, smk_ipv6_check.
>
> Their compiled bodies are likely to be removed by compiler
> from the resulting binary, but, to be on the safe side,
> I remove them from the compiler view.
>
> [1]
> Fixes: 00720f0e7f28 ("smack: avoid unused 'sip' variable warning")
>
> Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
I have accepted this patch. It is in smack-next.
> ---
> security/smack/smack.h | 6 ++++++
> security/smack/smack_lsm.c | 10 +++++++++-
> 2 files changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index 4608b07607a3..c4d998972ba5 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -152,6 +152,7 @@ struct smk_net4addr {
> struct smack_known *smk_label; /* label */
> };
>
> +#if IS_ENABLED(CONFIG_IPV6)
> /*
> * An entry in the table identifying IPv6 hosts.
> */
> @@ -162,7 +163,9 @@ struct smk_net6addr {
> int smk_masks; /* mask size */
> struct smack_known *smk_label; /* label */
> };
> +#endif /* CONFIG_IPV6 */
>
> +#ifdef SMACK_IPV6_PORT_LABELING
> /*
> * An entry in the table identifying ports.
> */
> @@ -175,6 +178,7 @@ struct smk_port_label {
> short smk_sock_type; /* Socket type */
> short smk_can_reuse;
> };
> +#endif /* SMACK_IPV6_PORT_LABELING */
>
> struct smack_known_list_elem {
> struct list_head list;
> @@ -315,7 +319,9 @@ extern struct smack_known smack_known_web;
> extern struct mutex smack_known_lock;
> extern struct list_head smack_known_list;
> extern struct list_head smk_net4addr_list;
> +#if IS_ENABLED(CONFIG_IPV6)
> extern struct list_head smk_net6addr_list;
> +#endif /* CONFIG_IPV6 */
>
> extern struct mutex smack_onlycap_lock;
> extern struct list_head smack_onlycap_list;
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index c3f8de53aefd..ce7d44509973 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -2492,6 +2492,7 @@ static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip)
> return NULL;
> }
>
> +#if IS_ENABLED(CONFIG_IPV6)
> /*
> * smk_ipv6_localhost - Check for local ipv6 host address
> * @sip: the address
> @@ -2559,6 +2560,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip)
>
> return NULL;
> }
> +#endif /* CONFIG_IPV6 */
>
> /**
> * smack_netlbl_add - Set the secattr on a socket
> @@ -2663,6 +2665,7 @@ static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap)
> return rc;
> }
>
> +#if IS_ENABLED(CONFIG_IPV6)
> /**
> * smk_ipv6_check - check Smack access
> * @subject: subject Smack label
> @@ -2695,6 +2698,7 @@ static int smk_ipv6_check(struct smack_known *subject,
> rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc);
> return rc;
> }
> +#endif /* CONFIG_IPV6 */
>
> #ifdef SMACK_IPV6_PORT_LABELING
> /**
> @@ -3027,7 +3031,9 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
> return 0;
> if (addrlen < offsetofend(struct sockaddr, sa_family))
> return 0;
> - if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) {
> +
> +#if IS_ENABLED(CONFIG_IPV6)
> + if (sap->sa_family == AF_INET6) {
> struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
> struct smack_known *rsp = NULL;
>
> @@ -3047,6 +3053,8 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
>
> return rc;
> }
> +#endif /* CONFIG_IPV6 */
> +
> if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in))
> return 0;
> rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap);
More information about the Linux-security-module-archive
mailing list