linux/security
Casey Schaufler 2fe209d0ad smack: tcp: ipv4, fix incorrect labeling
Currently, Smack mirrors the label of incoming tcp/ipv4 connections:
when a label 'foo' connects to a label 'bar' with tcp/ipv4,
'foo' always gets 'foo' in returned ipv4 packets. So,
1) returned packets are incorrectly labeled ('foo' instead of 'bar')
2) 'bar' can write to 'foo' without being authorized to write.

Here is a scenario how to see this:

* Take two machines, let's call them C and S,
   with active Smack in the default state
   (no settings, no rules, no labeled hosts, only builtin labels)

* At S, add Smack rule 'foo bar w'
   (labels 'foo' and 'bar' are instantiated at S at this moment)

* At S, at label 'bar', launch a program
   that listens for incoming tcp/ipv4 connections

* From C, at label 'foo', connect to the listener at S.
   (label 'foo' is instantiated at C at this moment)
   Connection succeedes and works.

* Send some data in both directions.
* Collect network traffic of this connection.

All packets in both directions are labeled with the CIPSO
of the label 'foo'. Hence, label 'bar' writes to 'foo' without
being authorized, and even without ever being known at C.

If anybody cares: exactly the same happens with DCCP.

This behavior 1st manifested in release 2.6.29.4 (see Fixes below)
and it looks unintentional. At least, no explanation was provided.

I changed returned packes label into the 'bar',
to bring it into line with the Smack documentation claims.

Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2024-06-05 15:41:50 -07:00
..
apparmor lsm: remove the now superfluous sentinel element from ctl_table array 2024-04-15 15:00:00 -04:00
bpf lsm: mark the lsm_id variables are marked as static 2023-11-12 22:54:42 -05:00
integrity ima: add crypto agility support for template-hash algorithm 2024-04-12 09:59:04 -04:00
keys KEYS: trusted: Do not use WARN when encode fails 2024-05-21 02:35:10 +03:00
landlock landlock: Fix d_parent walk 2024-05-31 16:41:52 +02:00
loadpin hardening fixes for v6.10-rc1 2024-05-24 08:33:44 -07:00
lockdown LSM: Identify modules by more than name 2023-11-12 22:54:42 -05:00
safesetid lsm: mark the lsm_id variables are marked as static 2023-11-12 22:54:42 -05:00
selinux integrity-v6.10 2024-05-15 08:43:02 -07:00
smack smack: tcp: ipv4, fix incorrect labeling 2024-06-05 15:41:50 -07:00
tomoyo kbuild: use $(src) instead of $(srctree)/$(src) for source directory 2024-05-10 04:34:52 +09:00
yama lsm: remove the now superfluous sentinel element from ctl_table array 2024-04-15 15:00:00 -04:00
commoncap.c lsm: mark the lsm_id variables are marked as static 2023-11-12 22:54:42 -05:00
device_cgroup.c device_cgroup: Fix kernel-doc warnings in device_cgroup 2023-06-21 09:30:49 -04:00
inode.c security: convert to new timestamp accessors 2023-10-18 14:08:31 +02:00
Kconfig fortify: drop Clang version check for 12.0.1 or newer 2024-02-22 15:38:54 -08:00
Kconfig.hardening mm: init_mlocked_on_free_v3 2024-04-25 20:56:29 -07:00
lsm_audit.c lsm: fix a number of misspellings 2023-05-25 17:52:15 -04:00
lsm_syscalls.c lsm: use 32-bit compatible data types in LSM syscalls 2024-03-14 11:31:26 -04:00
Makefile LSM: syscalls for current process attributes 2023-11-12 22:54:42 -05:00
min_addr.c
security.c security: allow finer granularity in permitting copy-up of security xattrs 2024-04-09 17:14:57 -04:00