summaryrefslogtreecommitdiffstats
path: root/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0010-Smack-network-label-match-fix.patch
diff options
context:
space:
mode:
authorYannick GICQUEL <yannick.gicquel@iot.bzh>2015-10-19 15:57:07 +0200
committerGerrit Code Review <gerrit@172.30.200.200>2015-11-06 15:23:36 +0000
commitede19ea0c47fb23f3fc779833d1e57cf76f3371e (patch)
tree47d6fae2283c54def1871aaf2a73828ac68b1b34 /meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0010-Smack-network-label-match-fix.patch
parent1cd8ab18abca96e4ee108f80225058d875b28347 (diff)
kernel: smack security backport from kernel 4
Here is the backport of all patches relating to smack support on kernel side. For more details, see file: meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/README Please note that patches are applied only if "smack" is in the ditro features. Here are the 2 lines to add in the local.conf OVERRIDES .= ":smack" DISTRO_FEATURES_append = " smack" Change-Id: I147a3532aec531f977d6ec34c576261835711f1e Signed-off-by: Yannick GICQUEL <yannick.gicquel@iot.bzh> Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0010-Smack-network-label-match-fix.patch')
-rw-r--r--meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0010-Smack-network-label-match-fix.patch110
1 files changed, 110 insertions, 0 deletions
diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0010-Smack-network-label-match-fix.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0010-Smack-network-label-match-fix.patch
new file mode 100644
index 0000000..bfb9ad0
--- /dev/null
+++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0010-Smack-network-label-match-fix.patch
@@ -0,0 +1,110 @@
+From 5ef1f5e8b97be9a415ad0828202d5ea03af377c7 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Fri, 28 Jun 2013 13:47:07 -0700
+Subject: [PATCH 10/54] Smack: network label match fix
+
+The Smack code that matches incoming CIPSO tags with Smack labels
+reaches through the NetLabel interfaces and compares the network
+data with the CIPSO header associated with a Smack label. This was
+done in a ill advised attempt to optimize performance. It works
+so long as the categories fit in a single capset, but this isn't
+always the case.
+
+This patch changes the Smack code to use the appropriate NetLabel
+interfaces to compare the incoming CIPSO header with the CIPSO
+header associated with a label. It will always match the CIPSO
+headers correctly.
+
+Targeted for git://git.gitorious.org/smack-next/kernel.git
+
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack.h | 8 ++++++--
+ security/smack/smack_lsm.c | 30 ++++++++++++++++++++++++------
+ security/smack/smackfs.c | 2 +-
+ 3 files changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index e80597a..076b8e8 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -168,9 +168,13 @@ struct smk_port_label {
+ #define SMACK_CIPSO_DOI_INVALID -1 /* Not a DOI */
+ #define SMACK_CIPSO_DIRECT_DEFAULT 250 /* Arbitrary */
+ #define SMACK_CIPSO_MAPPED_DEFAULT 251 /* Also arbitrary */
+-#define SMACK_CIPSO_MAXCATVAL 63 /* Bigger gets harder */
+ #define SMACK_CIPSO_MAXLEVEL 255 /* CIPSO 2.2 standard */
+-#define SMACK_CIPSO_MAXCATNUM 239 /* CIPSO 2.2 standard */
++/*
++ * CIPSO 2.2 standard is 239, but Smack wants to use the
++ * categories in a structured way that limits the value to
++ * the bits in 23 bytes, hence the unusual number.
++ */
++#define SMACK_CIPSO_MAXCATNUM 184 /* 23 * 8 */
+
+ /*
+ * Flag for transmute access
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index f70a0fa..19de5e2 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -3063,6 +3063,8 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
+ {
+ struct smack_known *skp;
+ int found = 0;
++ int acat;
++ int kcat;
+
+ if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) {
+ /*
+@@ -3079,12 +3081,28 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
+ list_for_each_entry(skp, &smack_known_list, list) {
+ if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl)
+ continue;
+- if (memcmp(sap->attr.mls.cat,
+- skp->smk_netlabel.attr.mls.cat,
+- SMK_CIPSOLEN) != 0)
+- continue;
+- found = 1;
+- break;
++ /*
++ * Compare the catsets. Use the netlbl APIs.
++ */
++ if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) {
++ if ((skp->smk_netlabel.flags &
++ NETLBL_SECATTR_MLS_CAT) == 0)
++ found = 1;
++ break;
++ }
++ for (acat = -1, kcat = -1; acat == kcat; ) {
++ acat = netlbl_secattr_catmap_walk(
++ sap->attr.mls.cat, acat + 1);
++ kcat = netlbl_secattr_catmap_walk(
++ skp->smk_netlabel.attr.mls.cat,
++ kcat + 1);
++ if (acat < 0 || kcat < 0)
++ break;
++ }
++ if (acat == kcat) {
++ found = 1;
++ break;
++ }
+ }
+ rcu_read_unlock();
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index 269b270..a07e93f 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -890,7 +890,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
+ for (i = 0; i < catlen; i++) {
+ rule += SMK_DIGITLEN;
+ ret = sscanf(rule, "%u", &cat);
+- if (ret != 1 || cat > SMACK_CIPSO_MAXCATVAL)
++ if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM)
+ goto out;
+
+ smack_catset_bit(cat, mapcatset);
+--
+2.1.4
+