summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorPiotr Sawicki <p.sawicki2@partner.samsung.com>2018-07-19 11:47:31 +0200
committerCasey Schaufler <casey@schaufler-ca.com>2018-07-23 22:00:03 +0200
commitd66a8acbda926fa2398ae930f50787e8663bce96 (patch)
tree86c47de8e48fc66af59fc673c440d7895e08d6b0 /security
parentSmack: Check UDP-Lite and DCCP protocols during IPv6 handling (diff)
downloadlinux-d66a8acbda926fa2398ae930f50787e8663bce96.tar.xz
linux-d66a8acbda926fa2398ae930f50787e8663bce96.zip
Smack: Inform peer that IPv6 traffic has been blocked
In this patch we're sending an ICMPv6 message to a peer to immediately inform it that making a connection is not possible. In case of TCP connections, without this change, the peer will be waiting until a connection timeout is exceeded. Signed-off-by: Piotr Sawicki <p.sawicki2@partner.samsung.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security')
-rw-r--r--security/smack/smack_lsm.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index aff8397e8c7e..91750205a5de 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -28,6 +28,7 @@
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/dccp.h>
+#include <linux/icmpv6.h>
#include <linux/slab.h>
#include <linux/mutex.h>
#include <linux/pipe_fs_i.h>
@@ -4009,6 +4010,9 @@ access_check:
#ifdef SMACK_IPV6_PORT_LABELING
rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
#endif /* SMACK_IPV6_PORT_LABELING */
+ if (rc != 0)
+ icmpv6_send(skb, ICMPV6_DEST_UNREACH,
+ ICMPV6_ADM_PROHIBITED, 0);
break;
#endif /* CONFIG_IPV6 */
}