From: Richard Haines <richard_c_haines@btinternet.com>
To: Xin Long <lucien.xin@gmail.com>,
network dev <netdev@vger.kernel.org>,
selinux@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-sctp@vger.kernel.org
Cc: davem@davemloft.net, kuba@kernel.org,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
James Morris <jmorris@namei.org>,
Paul Moore <paul@paul-moore.com>,
Ondrej Mosnacek <omosnace@redhat.com>
Subject: Re: [PATCH net 0/4] security: fixups for the security hooks in sctp
Date: Sun, 24 Oct 2021 14:42:25 +0100 [thread overview]
Message-ID: <abf8607d35cf4b5de1cfb14de81f2c77b7a0c2f5.camel@btinternet.com> (raw)
In-Reply-To: <cover.1634884487.git.lucien.xin@gmail.com>
On Fri, 2021-10-22 at 02:36 -0400, Xin Long wrote:
> There are a couple of problems in the currect security hooks in sctp:
>
> 1. The hooks incorrectly treat sctp_endpoint in SCTP as request_sock in
> TCP, while it's in fact no more than an extension of the sock, and
> represents the local host. It is created when sock is created, not
> when a conn request comes. sctp_association is actually the correct
> one to represent the connection, and created when a conn request
> arrives.
>
> 2. security_sctp_assoc_request() hook should also be called in
> processing
> COOKIE ECHO, as that's the place where the real assoc is created and
> used in the future.
>
> The problems above may cause accept sk, peeloff sk or client sk having
> the incorrect security labels.
>
> So this patchset is to change some hooks and pass asoc into them and
> save
> these secids into asoc, as well as add the missing sctp_assoc_request
> hook into the COOKIE ECHO processing.
I've built this patchset on kernel 5.15-rc5 with no problems.
I tested this using the SELinux testsuite with Ondrej's "[PATCH
testsuite] tests/sctp: add client peeloff tests" [1] added. All SCTP
tests ran with no errors. Also ran the sctp-tests from [2] with no
errors.
[1]
https://lore.kernel.org/selinux/20211021144543.740762-1-omosnace@redhat.com/
[2] https://github.com/sctp/sctp-tests.git
Reviewed-by: Richard Haines <richard_c_haines@btinternet.com>
Tested-by: Richard Haines <richard_c_haines@btinternet.com>
>
> Xin Long (4):
> security: pass asoc to sctp_assoc_request and sctp_sk_clone
> security: call security_sctp_assoc_request in sctp_sf_do_5_1D_ce
> security: add sctp_assoc_established hook
> security: implement sctp_assoc_established hook in selinux
>
> Documentation/security/SCTP.rst | 65 +++++++++++++++--------------
> include/linux/lsm_hook_defs.h | 6 ++-
> include/linux/lsm_hooks.h | 13 ++++--
> include/linux/security.h | 18 +++++---
> include/net/sctp/structs.h | 20 ++++-----
> net/sctp/sm_statefuns.c | 31 ++++++++------
> net/sctp/socket.c | 5 +--
> security/security.c | 15 +++++--
> security/selinux/hooks.c | 36 +++++++++++-----
> security/selinux/include/netlabel.h | 4 +-
> security/selinux/netlabel.c | 14 +++----
> 11 files changed, 135 insertions(+), 92 deletions(-)
>
prev parent reply other threads:[~2021-10-24 13:48 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-22 6:36 [PATCH net 0/4] security: fixups for the security hooks in sctp Xin Long
2021-10-22 6:36 ` [PATCH net 1/4] security: pass asoc to sctp_assoc_request and sctp_sk_clone Xin Long
2021-10-22 15:35 ` Jakub Kicinski
2021-10-23 4:25 ` Xin Long
2021-10-24 13:50 ` Richard Haines
2021-10-22 6:36 ` [PATCH net 2/4] security: call security_sctp_assoc_request in sctp_sf_do_5_1D_ce Xin Long
2021-10-25 7:58 ` Ondrej Mosnacek
2021-10-22 6:36 ` [PATCH net 3/4] security: add sctp_assoc_established hook Xin Long
2021-10-24 18:45 ` kernel test robot
2021-10-25 5:01 ` kernel test robot
2021-10-25 8:01 ` Ondrej Mosnacek
2021-10-22 6:36 ` [PATCH net 4/4] security: implement sctp_assoc_established hook in selinux Xin Long
2021-10-25 8:17 ` Ondrej Mosnacek
2021-10-25 10:51 ` Xin Long
2021-10-25 12:08 ` Ondrej Mosnacek
[not found] ` <CADvbK_eE9VhB2cWzHSk_LNm_VemEt9vm=FMMVYzo5eVH=zEhKw@mail.gmail.com>
2021-10-25 21:51 ` Paul Moore
2021-10-26 4:47 ` Xin Long
2021-10-26 20:30 ` Paul Moore
2021-10-27 4:00 ` Xin Long
2021-10-27 14:41 ` Paul Moore
2021-10-24 13:42 ` Richard Haines [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abf8607d35cf4b5de1cfb14de81f2c77b7a0c2f5.camel@btinternet.com \
--to=richard_c_haines@btinternet.com \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=kuba@kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).