security: pass asoc to sctp_assoc_request and sctp_sk_clone
This patch is to move secid and peer_secid from endpoint to association,
and pass asoc to sctp_assoc_request and sctp_sk_clone instead of ep. As
ep is the local endpoint and asoc represents a connection, and in SCTP
one sk/ep could have multiple asoc/connection, saving secid/peer_secid
for new asoc will overwrite the old asoc's.
Note that since asoc can be passed as NULL, security_sctp_assoc_request()
is moved to the place right after the new_asoc is created in
sctp_sf_do_5_1B_init() and sctp_sf_do_unexpected_init().
v1->v2:
- fix the description of selinux_netlbl_skbuff_setsid(), as Jakub noticed.
- fix the annotation in selinux_sctp_assoc_request(), as Richard Noticed.
Fixes: 72e89f5008 ("security: Add support for SCTP security hooks")
Reported-by: Prashanth Prahlad <pprahlad@redhat.com>
Reviewed-by: Richard Haines <richard_c_haines@btinternet.com>
Tested-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Xin Long
committed by
David S. Miller
David S. Miller
parent
843c3cbbdf
commit
c081d53f97
@@ -5339,10 +5339,10 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
|
||||
* connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
|
||||
* already present).
|
||||
*/
|
||||
static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
|
||||
static int selinux_sctp_assoc_request(struct sctp_association *asoc,
|
||||
struct sk_buff *skb)
|
||||
{
|
||||
struct sk_security_struct *sksec = ep->base.sk->sk_security;
|
||||
struct sk_security_struct *sksec = asoc->base.sk->sk_security;
|
||||
struct common_audit_data ad;
|
||||
struct lsm_network_audit net = {0,};
|
||||
u8 peerlbl_active;
|
||||
@@ -5359,7 +5359,7 @@ static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
|
||||
/* This will return peer_sid = SECSID_NULL if there are
|
||||
* no peer labels, see security_net_peersid_resolve().
|
||||
*/
|
||||
err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
|
||||
err = selinux_skb_peerlbl_sid(skb, asoc->base.sk->sk_family,
|
||||
&peer_sid);
|
||||
if (err)
|
||||
return err;
|
||||
@@ -5383,7 +5383,7 @@ static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
|
||||
*/
|
||||
ad.type = LSM_AUDIT_DATA_NET;
|
||||
ad.u.net = &net;
|
||||
ad.u.net->sk = ep->base.sk;
|
||||
ad.u.net->sk = asoc->base.sk;
|
||||
err = avc_has_perm(&selinux_state,
|
||||
sksec->peer_sid, peer_sid, sksec->sclass,
|
||||
SCTP_SOCKET__ASSOCIATION, &ad);
|
||||
@@ -5392,7 +5392,7 @@ static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
|
||||
}
|
||||
|
||||
/* Compute the MLS component for the connection and store
|
||||
* the information in ep. This will be used by SCTP TCP type
|
||||
* the information in asoc. This will be used by SCTP TCP type
|
||||
* sockets and peeled off connections as they cause a new
|
||||
* socket to be generated. selinux_sctp_sk_clone() will then
|
||||
* plug this into the new socket.
|
||||
@@ -5401,11 +5401,11 @@ static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
ep->secid = conn_sid;
|
||||
ep->peer_secid = peer_sid;
|
||||
asoc->secid = conn_sid;
|
||||
asoc->peer_secid = peer_sid;
|
||||
|
||||
/* Set any NetLabel labels including CIPSO/CALIPSO options. */
|
||||
return selinux_netlbl_sctp_assoc_request(ep, skb);
|
||||
return selinux_netlbl_sctp_assoc_request(asoc, skb);
|
||||
}
|
||||
|
||||
/* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
|
||||
@@ -5490,7 +5490,7 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname,
|
||||
}
|
||||
|
||||
/* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
|
||||
static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
|
||||
static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
|
||||
struct sock *newsk)
|
||||
{
|
||||
struct sk_security_struct *sksec = sk->sk_security;
|
||||
@@ -5502,8 +5502,8 @@ static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
|
||||
if (!selinux_policycap_extsockclass())
|
||||
return selinux_sk_clone_security(sk, newsk);
|
||||
|
||||
newsksec->sid = ep->secid;
|
||||
newsksec->peer_sid = ep->peer_secid;
|
||||
newsksec->sid = asoc->secid;
|
||||
newsksec->peer_sid = asoc->peer_secid;
|
||||
newsksec->sclass = sksec->sclass;
|
||||
selinux_netlbl_sctp_sk_clone(sk, newsk);
|
||||
}
|
||||
|
||||
@@ -39,7 +39,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
|
||||
int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
|
||||
u16 family,
|
||||
u32 sid);
|
||||
int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
|
||||
int selinux_netlbl_sctp_assoc_request(struct sctp_association *asoc,
|
||||
struct sk_buff *skb);
|
||||
int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family);
|
||||
void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family);
|
||||
@@ -98,7 +98,7 @@ static inline int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
|
||||
static inline int selinux_netlbl_sctp_assoc_request(struct sctp_association *asoc,
|
||||
struct sk_buff *skb)
|
||||
{
|
||||
return 0;
|
||||
|
||||
@@ -261,30 +261,30 @@ skbuff_setsid_return:
|
||||
|
||||
/**
|
||||
* selinux_netlbl_sctp_assoc_request - Label an incoming sctp association.
|
||||
* @ep: incoming association endpoint.
|
||||
* @asoc: incoming association.
|
||||
* @skb: the packet.
|
||||
*
|
||||
* Description:
|
||||
* A new incoming connection is represented by @ep, ......
|
||||
* A new incoming connection is represented by @asoc, ......
|
||||
* Returns zero on success, negative values on failure.
|
||||
*
|
||||
*/
|
||||
int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
|
||||
int selinux_netlbl_sctp_assoc_request(struct sctp_association *asoc,
|
||||
struct sk_buff *skb)
|
||||
{
|
||||
int rc;
|
||||
struct netlbl_lsm_secattr secattr;
|
||||
struct sk_security_struct *sksec = ep->base.sk->sk_security;
|
||||
struct sk_security_struct *sksec = asoc->base.sk->sk_security;
|
||||
struct sockaddr_in addr4;
|
||||
struct sockaddr_in6 addr6;
|
||||
|
||||
if (ep->base.sk->sk_family != PF_INET &&
|
||||
ep->base.sk->sk_family != PF_INET6)
|
||||
if (asoc->base.sk->sk_family != PF_INET &&
|
||||
asoc->base.sk->sk_family != PF_INET6)
|
||||
return 0;
|
||||
|
||||
netlbl_secattr_init(&secattr);
|
||||
rc = security_netlbl_sid_to_secattr(&selinux_state,
|
||||
ep->secid, &secattr);
|
||||
asoc->secid, &secattr);
|
||||
if (rc != 0)
|
||||
goto assoc_request_return;
|
||||
|
||||
@@ -294,11 +294,11 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
|
||||
if (ip_hdr(skb)->version == 4) {
|
||||
addr4.sin_family = AF_INET;
|
||||
addr4.sin_addr.s_addr = ip_hdr(skb)->saddr;
|
||||
rc = netlbl_conn_setattr(ep->base.sk, (void *)&addr4, &secattr);
|
||||
rc = netlbl_conn_setattr(asoc->base.sk, (void *)&addr4, &secattr);
|
||||
} else if (IS_ENABLED(CONFIG_IPV6) && ip_hdr(skb)->version == 6) {
|
||||
addr6.sin6_family = AF_INET6;
|
||||
addr6.sin6_addr = ipv6_hdr(skb)->saddr;
|
||||
rc = netlbl_conn_setattr(ep->base.sk, (void *)&addr6, &secattr);
|
||||
rc = netlbl_conn_setattr(asoc->base.sk, (void *)&addr6, &secattr);
|
||||
} else {
|
||||
rc = -EAFNOSUPPORT;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user