提交 677264e8 编写于 作者: C Casey Schaufler

Smack: network label match fix

The Smack code that matches incoming CIPSO tags with Smack labels
reaches through the NetLabel interfaces and compares the network
data with the CIPSO header associated with a Smack label. This was
done in a ill advised attempt to optimize performance. It works
so long as the categories fit in a single capset, but this isn't
always the case.

This patch changes the Smack code to use the appropriate NetLabel
interfaces to compare the incoming CIPSO header with the CIPSO
header associated with a label. It will always match the CIPSO
headers correctly.

Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: NCasey Schaufler <casey@schaufler-ca.com>
上级 4d7cf4a1
...@@ -168,9 +168,13 @@ struct smk_port_label { ...@@ -168,9 +168,13 @@ struct smk_port_label {
#define SMACK_CIPSO_DOI_INVALID -1 /* Not a DOI */ #define SMACK_CIPSO_DOI_INVALID -1 /* Not a DOI */
#define SMACK_CIPSO_DIRECT_DEFAULT 250 /* Arbitrary */ #define SMACK_CIPSO_DIRECT_DEFAULT 250 /* Arbitrary */
#define SMACK_CIPSO_MAPPED_DEFAULT 251 /* Also arbitrary */ #define SMACK_CIPSO_MAPPED_DEFAULT 251 /* Also arbitrary */
#define SMACK_CIPSO_MAXCATVAL 63 /* Bigger gets harder */
#define SMACK_CIPSO_MAXLEVEL 255 /* CIPSO 2.2 standard */ #define SMACK_CIPSO_MAXLEVEL 255 /* CIPSO 2.2 standard */
#define SMACK_CIPSO_MAXCATNUM 239 /* CIPSO 2.2 standard */ /*
* CIPSO 2.2 standard is 239, but Smack wants to use the
* categories in a structured way that limits the value to
* the bits in 23 bytes, hence the unusual number.
*/
#define SMACK_CIPSO_MAXCATNUM 184 /* 23 * 8 */
/* /*
* Flag for transmute access * Flag for transmute access
......
...@@ -3066,6 +3066,8 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, ...@@ -3066,6 +3066,8 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
{ {
struct smack_known *skp; struct smack_known *skp;
int found = 0; int found = 0;
int acat;
int kcat;
if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) {
/* /*
...@@ -3082,12 +3084,28 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, ...@@ -3082,12 +3084,28 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
list_for_each_entry(skp, &smack_known_list, list) { list_for_each_entry(skp, &smack_known_list, list) {
if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl)
continue; continue;
if (memcmp(sap->attr.mls.cat, /*
skp->smk_netlabel.attr.mls.cat, * Compare the catsets. Use the netlbl APIs.
SMK_CIPSOLEN) != 0) */
continue; if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) {
found = 1; if ((skp->smk_netlabel.flags &
break; NETLBL_SECATTR_MLS_CAT) == 0)
found = 1;
break;
}
for (acat = -1, kcat = -1; acat == kcat; ) {
acat = netlbl_secattr_catmap_walk(
sap->attr.mls.cat, acat + 1);
kcat = netlbl_secattr_catmap_walk(
skp->smk_netlabel.attr.mls.cat,
kcat + 1);
if (acat < 0 || kcat < 0)
break;
}
if (acat == kcat) {
found = 1;
break;
}
} }
rcu_read_unlock(); rcu_read_unlock();
......
...@@ -890,7 +890,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, ...@@ -890,7 +890,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
for (i = 0; i < catlen; i++) { for (i = 0; i < catlen; i++) {
rule += SMK_DIGITLEN; rule += SMK_DIGITLEN;
ret = sscanf(rule, "%u", &cat); ret = sscanf(rule, "%u", &cat);
if (ret != 1 || cat > SMACK_CIPSO_MAXCATVAL) if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM)
goto out; goto out;
smack_catset_bit(cat, mapcatset); smack_catset_bit(cat, mapcatset);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册