Smack: Inform peer that IPv6 traffic has been blocked

In this patch we're sending an ICMPv6 message to a peer to immediately inform it that making a connection is not possible. In case of TCP connections, without this change, the peer will be waiting until a connection timeout is exceeded. Signed-off-by: N Piotr Sawicki <p.sawicki2@partner.samsung.com> Signed-off-by: N Casey Schaufler <casey@schaufler-ca.com>

Smack: Inform peer that IPv6 traffic has been blocked
In this patch we're sending an ICMPv6 message to a peer to immediately inform it that making a connection is not possible. In case of TCP connections, without this change, the peer will be waiting until a connection timeout is exceeded. Signed-off-by: N Piotr Sawicki <p.sawicki2@partner.samsung.com> Signed-off-by: N Casey Schaufler <casey@schaufler-ca.com>
d66a8acb · Piotr Sawicki · Casey Schaufler · a07ef951 · d66a8acb
显示空白变更内容
内联并排

Showing with 4 addition and 0 deletion

security/smack/smack_lsm.c security/smack/smack_lsm.c +4 -0

未找到文件。
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -28,6 +28,7 @@
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/dccp.h>
+#include <linux/icmpv6.h>
 #include <linux/slab.h>
 #include <linux/mutex.h>
 #include <linux/pipe_fs_i.h>
@@ -4009,6 +4010,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 #ifdef SMACK_IPV6_PORT_LABELING
 		rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
 #endif /* SMACK_IPV6_PORT_LABELING */
+		if (rc != 0)
+			icmpv6_send(skb, ICMPV6_DEST_UNREACH,
+					ICMPV6_ADM_PROHIBITED, 0);
 		break;
 #endif /* CONFIG_IPV6 */
 	}