linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Paolo Abeni <pabeni@redhat.com>
To: linux-security-module@vger.kernel.org
Cc: Paul Moore <paul@paul-moore.com>,
	selinux@vger.kernel.org, mptcp@lists.linux.dev
Subject: [PATCH 2/2] selinux: Implement mptcp_add_subflow hook
Date: Wed, 14 Dec 2022 23:01:58 +0100	[thread overview]
Message-ID: <d6f04d238c8a797899d6cb543a43f75e544221af.1671054577.git.pabeni@redhat.com> (raw)
In-Reply-To: <cover.1671054577.git.pabeni@redhat.com>

Newly added subflows should inherit the associated label
from the current process context, regarless of the sk_kern_sock
flag value.

This patch implements the above resetting the subflow sid, deleting
the existing subflow label, if any, and then re-creating a new one.

Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
 security/selinux/hooks.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3c5be76a9199..cbb4c711c502 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5476,6 +5476,35 @@ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk
 	selinux_netlbl_sctp_sk_clone(sk, newsk);
 }
 
+static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
+{
+	const struct task_security_struct *tsec = selinux_cred(current_cred());
+	struct sk_security_struct *ssksec = ssk->sk_security;
+	u16 sclass;
+	u32 sid;
+	int err;
+
+	/* create the sid using the current cred, regardless of the ssk kern
+	 * flag
+	 */
+	sclass = socket_type_to_security_class(ssk->sk_family, ssk->sk_type,
+					       ssk->sk_protocol);
+	err = socket_sockcreate_sid(tsec, sclass, &sid);
+	if (err)
+		return err;
+
+	ssksec->sid = sid;
+
+	/* replace the existing subflow label with the new one
+	 * inherited from the mptcp socket
+	 */
+	if (ssksec->nlbl_secattr != NULL) {
+		netlbl_secattr_free(ssksec->nlbl_secattr);
+		ssksec->nlbl_secattr = NULL;
+	}
+	return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
+}
+
 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
 				     struct request_sock *req)
 {
@@ -7216,6 +7245,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
 	LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
+	LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
-- 
2.38.1


  parent reply	other threads:[~2022-12-14 22:03 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-14 22:01 [PATCH 0/2] lsm: introduce and use security_mptcp_add_subflow() Paolo Abeni
2022-12-14 22:01 ` [PATCH 1/2] security, lsm: Introduce security_mptcp_add_subflow() Paolo Abeni
2022-12-15  0:38   ` kernel test robot
2022-12-15  2:09   ` kernel test robot
2022-12-14 22:01 ` Paolo Abeni [this message]
2022-12-15  2:59   ` [PATCH 2/2] selinux: Implement mptcp_add_subflow hook kernel test robot
2022-12-14 22:13 ` [PATCH 0/2] lsm: introduce and use security_mptcp_add_subflow() Paolo Abeni

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d6f04d238c8a797899d6cb543a43f75e544221af.1671054577.git.pabeni@redhat.com \
    --to=pabeni@redhat.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mptcp@lists.linux.dev \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).