[PATCH v3 RFC] Smack: Inform peer that IPv6 traffic has been blocked

[PATCH v3 RFC] Smack: Inform peer that IPv6 traffic has been blocked

[Piotr Sawicki]

In this patch we're sending an ICMPv6 message to a peer to
immediately inform it that making a connection is not possible.
In case of TCP connections, without this change, the peer
will be waiting until a connection timeout is exceeded.

Signed-off-by: Piotr Sawicki <p.sawicki2@partner.samsung.com>
---
Changes in v2:
 - Add missing Signed-off-by field
Changes in v3:
 - Fix formatting issues caused by improper email client configuration
---
 security/smack/smack_lsm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c2282ac..efa81bc 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -28,6 +28,7 @@
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/dccp.h>
+#include <linux/icmpv6.h>
 #include <linux/slab.h>
 #include <linux/mutex.h>
 #include <linux/pipe_fs_i.h>
@@ -4010,6 +4011,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 #ifdef SMACK_IPV6_PORT_LABELING
 		rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
 #endif /* SMACK_IPV6_PORT_LABELING */
+		if (rc != 0)
+			icmpv6_send(skb, ICMPV6_DEST_UNREACH,
+					ICMPV6_ADM_PROHIBITED, 0);
 		break;
 #endif /* CONFIG_IPV6 */
 	}
-- 
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v3 RFC] Smack: Inform peer that IPv6 traffic has been blocked

[Casey Schaufler]

On 7/19/2018 2:47 AM, Piotr Sawicki wrote:
> In this patch we're sending an ICMPv6 message to a peer to
> immediately inform it that making a connection is not possible.
> In case of TCP connections, without this change, the peer
> will be waiting until a connection timeout is exceeded.
>
> Signed-off-by: Piotr Sawicki <p.sawicki2@partner.samsung.com>

Acked-by: Casey Schaufler <casey@schaufler-ca.com>

> ---
> Changes in v2:
>  - Add missing Signed-off-by field
> Changes in v3:
>  - Fix formatting issues caused by improper email client configuration
> ---
>  security/smack/smack_lsm.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index c2282ac..efa81bc 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -28,6 +28,7 @@
>  #include <linux/tcp.h>
>  #include <linux/udp.h>
>  #include <linux/dccp.h>
> +#include <linux/icmpv6.h>
>  #include <linux/slab.h>
>  #include <linux/mutex.h>
>  #include <linux/pipe_fs_i.h>
> @@ -4010,6 +4011,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
>  #ifdef SMACK_IPV6_PORT_LABELING
>  		rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
>  #endif /* SMACK_IPV6_PORT_LABELING */
> +		if (rc != 0)
> +			icmpv6_send(skb, ICMPV6_DEST_UNREACH,
> +					ICMPV6_ADM_PROHIBITED, 0);
>  		break;
>  #endif /* CONFIG_IPV6 */
>  	}

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v3 RFC] Smack: Inform peer that IPv6 traffic has been blocked

[Casey Schaufler]

On 7/19/2018 2:47 AM, Piotr Sawicki wrote:
> In this patch we're sending an ICMPv6 message to a peer to
> immediately inform it that making a connection is not possible.
> In case of TCP connections, without this change, the peer
> will be waiting until a connection timeout is exceeded.
>
> Signed-off-by: Piotr Sawicki <p.sawicki2@partner.samsung.com>

Added to git://github.com/cschaufler/next-smack.git#smack-for-4.19-a

> ---
> Changes in v2:
>  - Add missing Signed-off-by field
> Changes in v3:
>  - Fix formatting issues caused by improper email client configuration
> ---
>  security/smack/smack_lsm.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index c2282ac..efa81bc 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -28,6 +28,7 @@
>  #include <linux/tcp.h>
>  #include <linux/udp.h>
>  #include <linux/dccp.h>
> +#include <linux/icmpv6.h>
>  #include <linux/slab.h>
>  #include <linux/mutex.h>
>  #include <linux/pipe_fs_i.h>
> @@ -4010,6 +4011,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
>  #ifdef SMACK_IPV6_PORT_LABELING
>  		rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
>  #endif /* SMACK_IPV6_PORT_LABELING */
> +		if (rc != 0)
> +			icmpv6_send(skb, ICMPV6_DEST_UNREACH,
> +					ICMPV6_ADM_PROHIBITED, 0);
>  		break;
>  #endif /* CONFIG_IPV6 */
>  	}

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Replacing IPv6 port labeling with CALIPSO in Smack

[Casey Schaufler]

I am looking at CALIPSO support for Smack. CALIPSO provides
the same sort of network packet labeling for IPv6 that CIPSO
provides for IPv4. Because most of the details are buried in
the Netlabel code this should be reasonably straight forward.
The complication is that Smack has two mechanisms in place
for labeling IPv6 already, and neither uses anything like
CALIPSO packet labeling. If CONFIG_SECURITY_SMACK_NETFILTER
is defined Smack secids are sent via the netfilter secmark.
Otherwise, the Smack label of the process creating a socket
is maintained in a table indexed by the port number.

My proposed change would make the IPv6 labeling match the IPv4
labeling. The entire port number scheme would be abandoned.
The current secmark scheme would continue to be used if it
is configured. Whereas today IPv6 labeling is only supported
locally, the new code would support labeling remote systems as
well.

Systems that use CONFIG_SECURITY_SMACK_NETFILTER should be
unaffected for local use. The host address labeling scheme
would be retained, so any system configured to use IPv6
externally shouldn't see a difference. Systems that don't
use the option should also work the same as they do today.

Are there any users of Smack that use IPv6 but do not use
CONFIG_SECURITY_SMACK_NETFILTER? Does anyone have, know of
or imagine a use case where CALIPSO labeling would not be
a viable replacement for the hackish "port labeling"?

Thank you.