From: Casey Schaufler Collect the Smack label of the other end on connection so that getsockopt(..., SO_PEERSEC, ...) can report it. This is done in smack_inet_conn_request(). Report the correct value in smack_socket_getpeersec_stream(). Initialize the smk_packet field in the socket blob. Comment on the purpose of smk_packet in the header file and remove the unused smk_depth field from the blob. Signed-off-by: Casey Schaufler Signed-off-by: Andrew Morton --- security/smack/smack.h | 7 +++---- security/smack/smack_lsm.c | 14 +++++++++++--- 2 files changed, 14 insertions(+), 7 deletions(-) diff -puN security/smack/smack.h~smack-getpeercred_stream-fix-for-so_peersec-and-tcp security/smack/smack.h --- a/security/smack/smack.h~smack-getpeercred_stream-fix-for-so_peersec-and-tcp +++ a/security/smack/smack.h @@ -44,10 +44,9 @@ struct superblock_smack { }; struct socket_smack { - char *smk_out; /* outbound label */ - char *smk_in; /* inbound label */ - char smk_packet[SMK_LABELLEN]; - int smk_depth; + char *smk_out; /* outbound label */ + char *smk_in; /* inbound label */ + char smk_packet[SMK_LABELLEN]; /* TCP peer label */ }; /* diff -puN security/smack/smack_lsm.c~smack-getpeercred_stream-fix-for-so_peersec-and-tcp security/smack/smack_lsm.c --- a/security/smack/smack_lsm.c~smack-getpeercred_stream-fix-for-so_peersec-and-tcp +++ a/security/smack/smack_lsm.c @@ -1232,6 +1232,7 @@ static int smack_sk_alloc_security(struc ssp->smk_in = csp; ssp->smk_out = csp; + ssp->smk_packet[0] = '\0'; sk->sk_security = ssp; @@ -2115,11 +2116,11 @@ static int smack_socket_getpeersec_strea int rc = 0; ssp = sock->sk->sk_security; - slen = strlen(ssp->smk_out); + slen = strlen(ssp->smk_packet) + 1; if (slen > len) rc = -ERANGE; - else if (copy_to_user(optval, ssp->smk_out, slen) != 0) + else if (copy_to_user(optval, ssp->smk_packet, slen) != 0) rc = -EFAULT; if (put_user(slen, optlen) != 0) @@ -2251,8 +2252,15 @@ static int smack_inet_conn_request(struc /* * Receiving a packet requires that the other end * be able to write here. Read access is not required. + * + * If the request is successful save the peer's label + * so that SO_PEERCRED can report it. */ - return smk_access(smack, ssp->smk_in, MAY_WRITE); + rc = smk_access(smack, ssp->smk_in, MAY_WRITE); + if (rc == 0) + strncpy(ssp->smk_packet, smack, SMK_MAXLEN); + + return rc; } /* _