Add calls to security_reconcile_netlbl() in SELinux and Smack to ensure that only packets that are acceptable to all active security modules get sent. Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> --- security/selinux/hooks.c | 3 +++ security/smack/smack_netfilter.c | 2 ++ 2 files changed, 5 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 84bfcf7ca08b..4a8996b7b477 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5400,6 +5400,9 @@ static unsigned int selinux_ip_output(struct sk_buff *skb, sid = SECINITSID_KERNEL; if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) return NF_DROP; + /* verify that this IP option works with other security modules */ + if (sk && security_reconcile_netlbl(sk)) + return NF_DROP; return NF_ACCEPT; } diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c index 7d202dde75b6..55cc38ae07f5 100644 --- a/security/smack/smack_netfilter.c +++ b/security/smack/smack_netfilter.c @@ -89,6 +89,8 @@ static unsigned int smack_ipv4_output(void *priv, return NF_DROP; ssp->smk_set = rc; } + if (security_reconcile_netlbl(sk)) + return NF_DROP; return NF_ACCEPT; } -- 2.17.0
