From: Paolo Abeni <pabeni@redhat.com>
To: linux-security-module@vger.kernel.org
Cc: Paul Moore <paul@paul-moore.com>,
selinux@vger.kernel.org, mptcp@lists.linux.dev
Subject: [PATCH 2/2] selinux: Implement mptcp_add_subflow hook
Date: Wed, 14 Dec 2022 23:01:58 +0100 [thread overview]
Message-ID: <d6f04d238c8a797899d6cb543a43f75e544221af.1671054577.git.pabeni@redhat.com> (raw)
In-Reply-To: <cover.1671054577.git.pabeni@redhat.com>
Newly added subflows should inherit the associated label
from the current process context, regarless of the sk_kern_sock
flag value.
This patch implements the above resetting the subflow sid, deleting
the existing subflow label, if any, and then re-creating a new one.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
security/selinux/hooks.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3c5be76a9199..cbb4c711c502 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5476,6 +5476,35 @@ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk
selinux_netlbl_sctp_sk_clone(sk, newsk);
}
+static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
+{
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
+ struct sk_security_struct *ssksec = ssk->sk_security;
+ u16 sclass;
+ u32 sid;
+ int err;
+
+ /* create the sid using the current cred, regardless of the ssk kern
+ * flag
+ */
+ sclass = socket_type_to_security_class(ssk->sk_family, ssk->sk_type,
+ ssk->sk_protocol);
+ err = socket_sockcreate_sid(tsec, sclass, &sid);
+ if (err)
+ return err;
+
+ ssksec->sid = sid;
+
+ /* replace the existing subflow label with the new one
+ * inherited from the mptcp socket
+ */
+ if (ssksec->nlbl_secattr != NULL) {
+ netlbl_secattr_free(ssksec->nlbl_secattr);
+ ssksec->nlbl_secattr = NULL;
+ }
+ return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
+}
+
static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
struct request_sock *req)
{
@@ -7216,6 +7245,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
+ LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
--
2.38.1
next prev parent reply other threads:[~2022-12-14 22:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-14 22:01 [PATCH 0/2] lsm: introduce and use security_mptcp_add_subflow() Paolo Abeni
2022-12-14 22:01 ` [PATCH 1/2] security, lsm: Introduce security_mptcp_add_subflow() Paolo Abeni
2022-12-15 0:38 ` kernel test robot
2022-12-15 2:09 ` kernel test robot
2022-12-14 22:01 ` Paolo Abeni [this message]
2022-12-15 2:59 ` [PATCH 2/2] selinux: Implement mptcp_add_subflow hook kernel test robot
2022-12-14 22:13 ` [PATCH 0/2] lsm: introduce and use security_mptcp_add_subflow() Paolo Abeni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d6f04d238c8a797899d6cb543a43f75e544221af.1671054577.git.pabeni@redhat.com \
--to=pabeni@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mptcp@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).