In this patch we're sending an ICMPv6 message to a peer to
immediately inform it that making a connection is not possible.
In case of TCP connections, without this change, the peer
will be waiting until a connection timeout is exceeded.
Signed-off-by: Piotr Sawicki <p.sawicki2(a)partner.samsung.com>
Changes in v2:
- Add missing Signed-off-by field
Changes in v3:
- Fix formatting issues caused by improper email client configuration
security/smack/smack_lsm.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c2282ac..efa81bc 100644
@@ -28,6 +28,7 @@
@@ -4010,6 +4011,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
#endif /* SMACK_IPV6_PORT_LABELING */
+ if (rc != 0)
+ icmpv6_send(skb, ICMPV6_DEST_UNREACH,
+ ICMPV6_ADM_PROHIBITED, 0);
#endif /* CONFIG_IPV6 */
Is there anyone who is doing consulting on setting up Smack rules?
I have been approached by someone who is using Yocto Project to
create an embedded system and would like to customize their Smack
rules. They are looking for someone to help them get this correct.
If you, or someone you know is interested in doing this please let
me know, and I'll pass your information along.