From ede19ea0c47fb23f3fc779833d1e57cf76f3371e Mon Sep 17 00:00:00 2001
From: Yannick GICQUEL <yannick.gicquel@iot.bzh>
Date: Mon, 19 Oct 2015 15:57:07 +0200
Subject: kernel: smack security backport from kernel 4
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Here is the backport of all patches relating to smack support
on kernel side. For more details, see file:

  meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/README

Please note that patches are applied only if "smack" is in the
ditro features. Here are the 2 lines to add in the local.conf

OVERRIDES .= ":smack"
DISTRO_FEATURES_append = " smack"

Change-Id: I147a3532aec531f977d6ec34c576261835711f1e
Signed-off-by: Yannick GICQUEL <yannick.gicquel@iot.bzh>
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
---
 ...011-Smack-IPv6-casting-error-fix-for-3.11.patch | 105 +++++++++++++++++++++
 1 file changed, 105 insertions(+)
 create mode 100644 meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0011-Smack-IPv6-casting-error-fix-for-3.11.patch

(limited to 'meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0011-Smack-IPv6-casting-error-fix-for-3.11.patch')

diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0011-Smack-IPv6-casting-error-fix-for-3.11.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0011-Smack-IPv6-casting-error-fix-for-3.11.patch
new file mode 100644
index 0000000..617715b
--- /dev/null
+++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0011-Smack-IPv6-casting-error-fix-for-3.11.patch
@@ -0,0 +1,105 @@
+From e1a1ad9641f7721edb0f52f0280cfc699ba4690c Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Mon, 5 Aug 2013 13:21:22 -0700
+Subject: [PATCH 11/54] Smack: IPv6 casting error fix for 3.11
+
+The original implementation of the Smack IPv6 port based
+local controls works most of the time using a sockaddr as
+a temporary variable, but not always as it overflows in
+some circumstances. The correct data is a sockaddr_in6.
+A struct sockaddr isn't as large as a struct sockaddr_in6.
+There would need to be casting one way or the other. This
+patch gets it the right way.
+
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+---
+ security/smack/smack_lsm.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 19de5e2..8825375 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1995,12 +1995,11 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address)
+  *
+  * Create or update the port list entry
+  */
+-static int smk_ipv6_port_check(struct sock *sk, struct sockaddr *address,
++static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
+ 				int act)
+ {
+ 	__be16 *bep;
+ 	__be32 *be32p;
+-	struct sockaddr_in6 *addr6;
+ 	struct smk_port_label *spp;
+ 	struct socket_smack *ssp = sk->sk_security;
+ 	struct smack_known *skp;
+@@ -2022,10 +2021,9 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr *address,
+ 	/*
+ 	 * Get the IP address and port from the address.
+ 	 */
+-	addr6 = (struct sockaddr_in6 *)address;
+-	port = ntohs(addr6->sin6_port);
+-	bep = (__be16 *)(&addr6->sin6_addr);
+-	be32p = (__be32 *)(&addr6->sin6_addr);
++	port = ntohs(address->sin6_port);
++	bep = (__be16 *)(&address->sin6_addr);
++	be32p = (__be32 *)(&address->sin6_addr);
+ 
+ 	/*
+ 	 * It's remote, so port lookup does no good.
+@@ -2057,9 +2055,9 @@ auditout:
+ 	ad.a.u.net->family = sk->sk_family;
+ 	ad.a.u.net->dport = port;
+ 	if (act == SMK_RECEIVING)
+-		ad.a.u.net->v6info.saddr = addr6->sin6_addr;
++		ad.a.u.net->v6info.saddr = address->sin6_addr;
+ 	else
+-		ad.a.u.net->v6info.daddr = addr6->sin6_addr;
++		ad.a.u.net->v6info.daddr = address->sin6_addr;
+ #endif
+ 	return smk_access(skp, object, MAY_WRITE, &ad);
+ }
+@@ -2198,7 +2196,8 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
+ 	case PF_INET6:
+ 		if (addrlen < sizeof(struct sockaddr_in6))
+ 			return -EINVAL;
+-		rc = smk_ipv6_port_check(sock->sk, sap, SMK_CONNECTING);
++		rc = smk_ipv6_port_check(sock->sk, (struct sockaddr_in6 *)sap,
++						SMK_CONNECTING);
+ 		break;
+ 	}
+ 	return rc;
+@@ -3031,7 +3030,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
+ 				int size)
+ {
+ 	struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name;
+-	struct sockaddr *sap = (struct sockaddr *) msg->msg_name;
++	struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name;
+ 	int rc = 0;
+ 
+ 	/*
+@@ -3136,9 +3135,8 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
+ 	return smack_net_ambient;
+ }
+ 
+-static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr *sap)
++static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
+ {
+-	struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
+ 	u8 nexthdr;
+ 	int offset;
+ 	int proto = -EINVAL;
+@@ -3196,7 +3194,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
+ 	struct netlbl_lsm_secattr secattr;
+ 	struct socket_smack *ssp = sk->sk_security;
+ 	struct smack_known *skp;
+-	struct sockaddr sadd;
++	struct sockaddr_in6 sadd;
+ 	int rc = 0;
+ 	struct smk_audit_info ad;
+ #ifdef CONFIG_AUDIT
+-- 
+2.1.4
+
-- 
cgit 1.2.3-korg