[PATCH] smack: dont compile ipv6 code unless ipv6 is configured

Tue Jan 21 17:38:57 UTC 2025

On 1/17/2025 8:36 AM, Konstantin Andreev wrote:
> I want to be sure that ipv6-specific code
> is not compiled in kernel binaries
> if ipv6 is not configured.

The IPv6 Smack support really ought to be replaced with an
implementation of CALIPSO, now that it is available. The
conditional compilations that already exist have drawn no
small amount of well founded criticism. I will most likely
take this patch, but if you want to be extremely helpful
you could have a shot at CALIPSO for Smack.

>
> [1] was getting rid of "unused variable" warning, but,
> with that, it also mandated compilation of a handful ipv6-
> specific functions in ipv4-only kernel configurations:
>
> smk_ipv6_localhost, smack_ipv6host_label, smk_ipv6_check.
>
> Their compiled bodies are likely to be removed by compiler
> from the resulting binary, but, to be on the safe side,
> I remove them from the compiler view.
>
> [1]
> Fixes: 00720f0e7f28 ("smack: avoid unused 'sip' variable warning")
>
> Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
> ---
>  security/smack/smack.h     |  6 ++++++
>  security/smack/smack_lsm.c | 10 +++++++++-
>  2 files changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index 4608b07607a3..c4d998972ba5 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -152,6 +152,7 @@ struct smk_net4addr {
>  	struct smack_known	*smk_label;	/* label */
>  };
>  
> +#if IS_ENABLED(CONFIG_IPV6)
>  /*
>   * An entry in the table identifying IPv6 hosts.
>   */
> @@ -162,7 +163,9 @@ struct smk_net6addr {
>  	int			smk_masks;	/* mask size */
>  	struct smack_known	*smk_label;	/* label */
>  };
> +#endif /* CONFIG_IPV6 */
>  
> +#ifdef SMACK_IPV6_PORT_LABELING
>  /*
>   * An entry in the table identifying ports.
>   */
> @@ -175,6 +178,7 @@ struct smk_port_label {
>  	short			smk_sock_type;	/* Socket type */
>  	short			smk_can_reuse;
>  };
> +#endif /* SMACK_IPV6_PORT_LABELING */
>  
>  struct smack_known_list_elem {
>  	struct list_head	list;
> @@ -315,7 +319,9 @@ extern struct smack_known smack_known_web;
>  extern struct mutex	smack_known_lock;
>  extern struct list_head smack_known_list;
>  extern struct list_head smk_net4addr_list;
> +#if IS_ENABLED(CONFIG_IPV6)
>  extern struct list_head smk_net6addr_list;
> +#endif /* CONFIG_IPV6 */
>  
>  extern struct mutex     smack_onlycap_lock;
>  extern struct list_head smack_onlycap_list;
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index c3f8de53aefd..ce7d44509973 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -2492,6 +2492,7 @@ static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip)
>  	return NULL;
>  }
>  
> +#if IS_ENABLED(CONFIG_IPV6)
>  /*
>   * smk_ipv6_localhost - Check for local ipv6 host address
>   * @sip: the address
> @@ -2559,6 +2560,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip)
>  
>  	return NULL;
>  }
> +#endif /* CONFIG_IPV6 */
>  
>  /**
>   * smack_netlbl_add - Set the secattr on a socket
> @@ -2663,6 +2665,7 @@ static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap)
>  	return rc;
>  }
>  
> +#if IS_ENABLED(CONFIG_IPV6)
>  /**
>   * smk_ipv6_check - check Smack access
>   * @subject: subject Smack label
> @@ -2695,6 +2698,7 @@ static int smk_ipv6_check(struct smack_known *subject,
>  	rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc);
>  	return rc;
>  }
> +#endif /* CONFIG_IPV6 */
>  
>  #ifdef SMACK_IPV6_PORT_LABELING
>  /**
> @@ -3027,7 +3031,9 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
>  		return 0;
>  	if (addrlen < offsetofend(struct sockaddr, sa_family))
>  		return 0;
> -	if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) {
> +
> +#if IS_ENABLED(CONFIG_IPV6)
> +	if (sap->sa_family == AF_INET6) {
>  		struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
>  		struct smack_known *rsp = NULL;
>  
> @@ -3047,6 +3053,8 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
>  
>  		return rc;
>  	}
> +#endif /* CONFIG_IPV6 */
> +
>  	if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in))
>  		return 0;
>  	rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap);