summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorCasey Schaufler <casey@schaufler-ca.com>2019-04-03 23:28:38 +0200
committerCasey Schaufler <casey@schaufler-ca.com>2019-04-03 23:28:38 +0200
commitf7450bc6e76860564f3842a41892f9b74313cc23 (patch)
tree863eddb3f6473b23322512310b43f6725bc7bb7c /security
parentSmack: Create smack_rule cache to optimize memory usage (diff)
downloadlinux-f7450bc6e76860564f3842a41892f9b74313cc23.tar.xz
linux-f7450bc6e76860564f3842a41892f9b74313cc23.zip
Smack: Fix IPv6 handling of 0 secmark
Handle the case where the skb for an IPv6 packet contains a 0 in the secmark for a packet generated locally. This can only happen for system packets, so allow the access. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security')
-rw-r--r--security/smack/smack_lsm.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index bd45c9139d34..b9abcdb36a73 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3907,6 +3907,8 @@ access_check:
#ifdef SMACK_IPV6_SECMARK_LABELING
if (skb && skb->secmark != 0)
skp = smack_from_secid(skb->secmark);
+ else if (smk_ipv6_localhost(&sadd))
+ break;
else
skp = smack_ipv6host_label(&sadd);
if (skp == NULL)