diff options
author | Yannick GICQUEL <yannick.gicquel@iot.bzh> | 2015-10-19 15:57:07 +0200 |
---|---|---|
committer | Gerrit Code Review <gerrit@172.30.200.200> | 2015-11-06 15:23:36 +0000 |
commit | ede19ea0c47fb23f3fc779833d1e57cf76f3371e (patch) | |
tree | 47d6fae2283c54def1871aaf2a73828ac68b1b34 /meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0010-Smack-network-label-match-fix.patch | |
parent | 1cd8ab18abca96e4ee108f80225058d875b28347 (diff) |
kernel: smack security backport from kernel 4
Here is the backport of all patches relating to smack support
on kernel side. For more details, see file:
meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/README
Please note that patches are applied only if "smack" is in the
ditro features. Here are the 2 lines to add in the local.conf
OVERRIDES .= ":smack"
DISTRO_FEATURES_append = " smack"
Change-Id: I147a3532aec531f977d6ec34c576261835711f1e
Signed-off-by: Yannick GICQUEL <yannick.gicquel@iot.bzh>
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0010-Smack-network-label-match-fix.patch')
-rw-r--r-- | meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0010-Smack-network-label-match-fix.patch | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0010-Smack-network-label-match-fix.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0010-Smack-network-label-match-fix.patch new file mode 100644 index 0000000..bfb9ad0 --- /dev/null +++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0010-Smack-network-label-match-fix.patch @@ -0,0 +1,110 @@ +From 5ef1f5e8b97be9a415ad0828202d5ea03af377c7 Mon Sep 17 00:00:00 2001 +From: Casey Schaufler <casey@schaufler-ca.com> +Date: Fri, 28 Jun 2013 13:47:07 -0700 +Subject: [PATCH 10/54] Smack: network label match fix + +The Smack code that matches incoming CIPSO tags with Smack labels +reaches through the NetLabel interfaces and compares the network +data with the CIPSO header associated with a Smack label. This was +done in a ill advised attempt to optimize performance. It works +so long as the categories fit in a single capset, but this isn't +always the case. + +This patch changes the Smack code to use the appropriate NetLabel +interfaces to compare the incoming CIPSO header with the CIPSO +header associated with a label. It will always match the CIPSO +headers correctly. + +Targeted for git://git.gitorious.org/smack-next/kernel.git + +Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> +--- + security/smack/smack.h | 8 ++++++-- + security/smack/smack_lsm.c | 30 ++++++++++++++++++++++++------ + security/smack/smackfs.c | 2 +- + 3 files changed, 31 insertions(+), 9 deletions(-) + +diff --git a/security/smack/smack.h b/security/smack/smack.h +index e80597a..076b8e8 100644 +--- a/security/smack/smack.h ++++ b/security/smack/smack.h +@@ -168,9 +168,13 @@ struct smk_port_label { + #define SMACK_CIPSO_DOI_INVALID -1 /* Not a DOI */ + #define SMACK_CIPSO_DIRECT_DEFAULT 250 /* Arbitrary */ + #define SMACK_CIPSO_MAPPED_DEFAULT 251 /* Also arbitrary */ +-#define SMACK_CIPSO_MAXCATVAL 63 /* Bigger gets harder */ + #define SMACK_CIPSO_MAXLEVEL 255 /* CIPSO 2.2 standard */ +-#define SMACK_CIPSO_MAXCATNUM 239 /* CIPSO 2.2 standard */ ++/* ++ * CIPSO 2.2 standard is 239, but Smack wants to use the ++ * categories in a structured way that limits the value to ++ * the bits in 23 bytes, hence the unusual number. ++ */ ++#define SMACK_CIPSO_MAXCATNUM 184 /* 23 * 8 */ + + /* + * Flag for transmute access +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index f70a0fa..19de5e2 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -3063,6 +3063,8 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, + { + struct smack_known *skp; + int found = 0; ++ int acat; ++ int kcat; + + if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { + /* +@@ -3079,12 +3081,28 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, + list_for_each_entry(skp, &smack_known_list, list) { + if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) + continue; +- if (memcmp(sap->attr.mls.cat, +- skp->smk_netlabel.attr.mls.cat, +- SMK_CIPSOLEN) != 0) +- continue; +- found = 1; +- break; ++ /* ++ * Compare the catsets. Use the netlbl APIs. ++ */ ++ if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { ++ if ((skp->smk_netlabel.flags & ++ NETLBL_SECATTR_MLS_CAT) == 0) ++ found = 1; ++ break; ++ } ++ for (acat = -1, kcat = -1; acat == kcat; ) { ++ acat = netlbl_secattr_catmap_walk( ++ sap->attr.mls.cat, acat + 1); ++ kcat = netlbl_secattr_catmap_walk( ++ skp->smk_netlabel.attr.mls.cat, ++ kcat + 1); ++ if (acat < 0 || kcat < 0) ++ break; ++ } ++ if (acat == kcat) { ++ found = 1; ++ break; ++ } + } + rcu_read_unlock(); + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 269b270..a07e93f 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -890,7 +890,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + for (i = 0; i < catlen; i++) { + rule += SMK_DIGITLEN; + ret = sscanf(rule, "%u", &cat); +- if (ret != 1 || cat > SMACK_CIPSO_MAXCATVAL) ++ if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM) + goto out; + + smack_catset_bit(cat, mapcatset); +-- +2.1.4 + |