security: pass asoc to sctp_assoc_request and sctp_sk_clone
This patch is to move secid and peer_secid from endpoint to association,
and pass asoc to sctp_assoc_request and sctp_sk_clone instead of ep. As
ep is the local endpoint and asoc represents a connection, and in SCTP
one sk/ep could have multiple asoc/connection, saving secid/peer_secid
for new asoc will overwrite the old asoc's.
Note that since asoc can be passed as NULL, security_sctp_assoc_request()
is moved to the place right after the new_asoc is created in
sctp_sf_do_5_1B_init() and sctp_sf_do_unexpected_init().
v1->v2:
- fix the description of selinux_netlbl_skbuff_setsid(), as Jakub noticed.
- fix the annotation in selinux_sctp_assoc_request(), as Richard Noticed.
Fixes: 72e89f5008 ("security: Add support for SCTP security hooks")
Reported-by: Prashanth Prahlad <pprahlad@redhat.com>
Reviewed-by: Richard Haines <richard_c_haines@btinternet.com>
Tested-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Xin Long
committed by
David S. Miller
David S. Miller
parent
843c3cbbdf
commit
c081d53f97
@@ -326,11 +326,6 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
|
||||
struct sctp_packet *packet;
|
||||
int len;
|
||||
|
||||
/* Update socket peer label if first association. */
|
||||
if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
|
||||
chunk->skb))
|
||||
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
|
||||
|
||||
/* 6.10 Bundling
|
||||
* An endpoint MUST NOT bundle INIT, INIT ACK or
|
||||
* SHUTDOWN COMPLETE with any other chunks.
|
||||
@@ -415,6 +410,12 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
|
||||
if (!new_asoc)
|
||||
goto nomem;
|
||||
|
||||
/* Update socket peer label if first association. */
|
||||
if (security_sctp_assoc_request(new_asoc, chunk->skb)) {
|
||||
sctp_association_free(new_asoc);
|
||||
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
|
||||
}
|
||||
|
||||
if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
|
||||
sctp_scope(sctp_source(chunk)),
|
||||
GFP_ATOMIC) < 0)
|
||||
@@ -780,7 +781,6 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/* Delay state machine commands until later.
|
||||
*
|
||||
* Re-build the bind address for the association is done in
|
||||
@@ -1517,11 +1517,6 @@ static enum sctp_disposition sctp_sf_do_unexpected_init(
|
||||
struct sctp_packet *packet;
|
||||
int len;
|
||||
|
||||
/* Update socket peer label if first association. */
|
||||
if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
|
||||
chunk->skb))
|
||||
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
|
||||
|
||||
/* 6.10 Bundling
|
||||
* An endpoint MUST NOT bundle INIT, INIT ACK or
|
||||
* SHUTDOWN COMPLETE with any other chunks.
|
||||
@@ -1594,6 +1589,12 @@ static enum sctp_disposition sctp_sf_do_unexpected_init(
|
||||
if (!new_asoc)
|
||||
goto nomem;
|
||||
|
||||
/* Update socket peer label if first association. */
|
||||
if (security_sctp_assoc_request(new_asoc, chunk->skb)) {
|
||||
sctp_association_free(new_asoc);
|
||||
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
|
||||
}
|
||||
|
||||
if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
|
||||
sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
|
||||
goto nomem;
|
||||
@@ -2255,8 +2256,7 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
|
||||
}
|
||||
|
||||
/* Update socket peer label if first association. */
|
||||
if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
|
||||
chunk->skb)) {
|
||||
if (security_sctp_assoc_request(new_asoc, chunk->skb)) {
|
||||
sctp_association_free(new_asoc);
|
||||
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user