[PATCH net 3/4] netlabel: validate CALIPSO option against skb tail in netlbl_skbuff_getattr
Qi Tang
tpluszz77 at gmail.com
Fri May 15 01:54:14 UTC 2026
Hi Casey,
You're right. "SELinux/Smack peer-label consume path" was wrong
in the CALIPSO patch. Our reasoning was that both LSMs call
netlbl_skbuff_getattr() in their socket-rcv path, but we only
actually verified the OOB read via SELinux's compat path
(selinux=1 enforcing=0, with a CALIPSO DOI installed via
netlabelctl). We never tested with Smack and shouldn't have
included it.
v2 will say "SELinux" only on the CALIPSO patch. The companion
CIPSO patch keeps the Smack mention since Smack does use CIPSO.
Sorry for the noise.
Qi
More information about the Linux-security-module-archive
mailing list