[ 3.8.y.z extended stable ] Patch "Smack: Fix the bug smackcipso can't set CIPSO correctly" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Wed Oct 9 18:49:08 UTC 2013 

This is a note to let you know that I have just added a patch titled

    Smack: Fix the bug smackcipso can't set CIPSO correctly

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.11.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 42c2a23f5df74d1ad52911904be4f49f20e16057 Mon Sep 17 00:00:00 2001
From: "Passion,Zhao" <passion.zhao at intel.com>
Date: Mon, 3 Jun 2013 11:42:24 +0800
Subject: Smack: Fix the bug smackcipso can't set CIPSO correctly

commit 0fcfee61d63b82c1eefb5b1a914240480f17d63f upstream.

Bug report: https://tizendev.org/bugs/browse/TDIS-3891

The reason is userspace libsmack only use "smackfs/cipso2" long-label interface,
but the code's logical is still for orginal fixed length label. Now update
smack_cipso_apply() to support flexible label (<=256 including tailing '\0')

There is also a bug in kernel/security/smack/smackfs.c:
When smk_set_cipso() parsing the CIPSO setting from userspace, the offset of
CIPSO level should be "strlen(label)+1" instead of "strlen(label)"

Signed-off-by: Passion,Zhao <passion.zhao at intel.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 security/smack/smackfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 76a5dca..c4fe705 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -818,7 +818,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
 	if (format == SMK_FIXED24_FMT)
 		rule += SMK_LABELLEN;
 	else
-		rule += strlen(skp->smk_known);
+		rule += strlen(skp->smk_known) + 1;

 	ret = sscanf(rule, "%d", &maplevel);
 	if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)
--
1.8.1.2

More information about the kernel-team mailing list