LKML Archive on
help / color / mirror / Atom feed
* [PATCH] (02/06/08 Linus git) Smack unlabeled outgoing ambient packets
@ 2008-02-07 17:07 Casey Schaufler
  0 siblings, 0 replies; only message in thread
From: Casey Schaufler @ 2008-02-07 17:07 UTC (permalink / raw)
  To: akpm, torvalds, mingo; +Cc: davem, netdev, linux-kernel

From: Casey Schaufler <>

Smack uses CIPSO labeling, but allows for unlabeled packets
by specifying an "ambient" label that is applied to incoming
unlabeled packets. Because the other end of the connection
may dislike IP options, and ssh is one know application that
behaves thus, it is prudent to respond in kind. This patch
changes the network labeling behavior such that an outgoing
packet that would be given a CIPSO label that matches the
ambient label is left unlabeled.

Signed-off-by: Casey Schaufler <>


 security/smack/smack_lsm.c |    9 +++++++++
 1 file changed, 9 insertions(+)

diff -uprN -X linux-2.6.25-g0206-base//Documentation/dontdiff linux-2.6.25-g0206-base/security/smack/smack_lsm.c linux-2.6.25-g0206/security/smack/smack_lsm.c
--- linux-2.6.25-g0206-base/security/smack/smack_lsm.c	2008-02-06 16:01:43.000000000 -0800
+++ linux-2.6.25-g0206/security/smack/smack_lsm.c	2008-02-06 18:39:55.000000000 -0800
@@ -1276,6 +1276,12 @@ static void smack_to_secattr(char *smack
  * Convert the outbound smack value (smk_out) to a
  * secattr and attach it to the socket.
+ * If the label is the ambient label do not set the secattr.
+ * Thus, all ambient packets are unlabeled and all unlabeled
+ * packets are ambient. This permits unlabeled responces to
+ * unlabeled requests without knowing on a per-packet basis
+ * if the packet was labeled ambient or was unlabeled.
+ *
  * Returns 0 on success or an error code
 static int smack_netlabel(struct sock *sk)
@@ -1284,6 +1290,9 @@ static int smack_netlabel(struct sock *s
 	struct netlbl_lsm_secattr secattr;
 	int rc = 0;
+	if (strncmp(ssp->smk_out, smack_net_ambient, SMK_MAXLEN) == 0)
+		return 0;
 	smack_to_secattr(ssp->smk_out, &secattr);
 	if (secattr.flags != NETLBL_SECATTR_NONE)

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2008-02-07 17:14 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-02-07 17:07 [PATCH] (02/06/08 Linus git) Smack unlabeled outgoing ambient packets Casey Schaufler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).