--- Paul Moore <[EMAIL PROTECTED]> wrote: > On Friday 15 February 2008 12:38:49 am Casey Schaufler wrote: > > From: Casey Schaufler <[EMAIL PROTECTED]> > > > > Smack uses CIPSO labeling, but allows for unlabeled packets > > by specifying an "ambient" label that is applied to incoming > > unlabeled packets. Because the other end of the connection > > may dislike IP options, and ssh is one know application that > > behaves thus, it is prudent to respond in kind. This patch > > changes the network labeling behavior such that an outgoing > > packet that would be given a CIPSO label that matches the > > ambient label is left unlabeled. An "unlbl" domain is added > > and the netlabel defaulting mechanism invoked rather than > > assuming that everything is CIPSO. Locking has been added > > around changes to the ambient label as the mechanisms used > > to do so are more involved. > > > > Cleaned up some issues noted in review. > > Make smk_cipso_doi() static. > > Create a hook for the new security_secctx_to_secid() > > using existing underlying code. > > Fill in audit data for netlbl domain calls. > > Collapse unnecessary multiple assignments. > > > > Signed-off-by: Casey Schaufler <[EMAIL PROTECTED]> > > Hi Casey, > > Thanks for the update, it's much improved. I'd ack it except for one > last thing which popped up in this revision ... (and don't worry, it's > kinda my fault - not yours) ... > > > @@ -1282,15 +1281,21 @@ static int smack_netlabel(struct sock *s > > { > > struct socket_smack *ssp; > > struct netlbl_lsm_secattr secattr; > > - int rc = 0; > > + int rc; > > > > ssp = sk->sk_security; > > netlbl_secattr_init(&secattr); > > smack_to_secattr(ssp->smk_out, &secattr); > > - if (secattr.flags != NETLBL_SECATTR_NONE) > > - rc = netlbl_sock_setattr(sk, &secattr); > > - > > + rc = netlbl_sock_setattr(sk, &secattr); > > netlbl_secattr_destroy(&secattr); > > + > > + /* > > + * A return of -ENOENT from netlbl_sock_setattr > > + * indicates that the "domain" was not found, but that's > > + * not an issue because of the defaulting behavior. > > + */ > > + if (rc == -ENOENT) > > + rc = 0; > > return rc; > > } > > ... you shouldn't fix-up the return value from netlbl_sock_setattr(). > It only returns an error when there really is an error, if there are no > matching domain mappings and the default catches the "domain" then the > function will return 0 (assuming no other failures). > > The fact that you ran into this problem isn't your fault, it's mine, but > thankfully for both of us Pavel Emelyanov found this bug and fixed > it[1]. It hasn't hit Linus' tree yet but it's in the net-2.6 tree. If > you can't wait for it to hit Linus' tree you can always apply the fix > by hand, it's pretty minor. > > Sorry about that. > > [1]http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=4c3a0a254e5d706d3fe01bf42261534858d05586
Yerk. I can put that fix into my tree, but my patch without the "correction" makes sockets behave very badly. I can't have people using it without Pavel's fix. Any notion on the plans to get that in? Thank you. Casey Schaufler [EMAIL PROTECTED] -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html