[PATCH v3 RFC] Smack: Inform peer that IPv6 traffic has been blocked
From: casey@schaufler-ca.com (Casey Schaufler)
Date: 2018-07-23 20:04:55
On 7/19/2018 2:47 AM, Piotr Sawicki wrote:
In this patch we're sending an ICMPv6 message to a peer to immediately inform it that making a connection is not possible. In case of TCP connections, without this change, the peer will be waiting until a connection timeout is exceeded. Signed-off-by: Piotr Sawicki <redacted>
Added to git://github.com/cschaufler/next-smack.git#smack-for-4.19-a
quoted hunk ↗ jump to hunk
--- Changes in v2: - Add missing Signed-off-by field Changes in v3: - Fix formatting issues caused by improper email client configuration --- security/smack/smack_lsm.c | 4 ++++ 1 file changed, 4 insertions(+)diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c2282ac..efa81bc 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c@@ -28,6 +28,7 @@ #include <linux/tcp.h> #include <linux/udp.h> #include <linux/dccp.h> +#include <linux/icmpv6.h> #include <linux/slab.h> #include <linux/mutex.h> #include <linux/pipe_fs_i.h>@@ -4010,6 +4011,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) #ifdef SMACK_IPV6_PORT_LABELING rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); #endif /* SMACK_IPV6_PORT_LABELING */ + if (rc != 0) + icmpv6_send(skb, ICMPV6_DEST_UNREACH, + ICMPV6_ADM_PROHIBITED, 0); break; #endif /* CONFIG_IPV6 */ }
-- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html