From: Xin Long <lucien.xin@gmail.com>
To: network dev <netdev@vger.kernel.org>,
selinux@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-sctp@vger.kernel.org
Cc: davem@davemloft.net, kuba@kernel.org,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
James Morris <jmorris@namei.org>,
Paul Moore <paul@paul-moore.com>,
Richard Haines <richard_c_haines@btinternet.com>,
Ondrej Mosnacek <omosnace@redhat.com>
Subject: [PATCH net 0/4] security: fixups for the security hooks in sctp
Date: Fri, 22 Oct 2021 02:36:08 -0400 [thread overview]
Message-ID: <cover.1634884487.git.lucien.xin@gmail.com> (raw)
There are a couple of problems in the currect security hooks in sctp:
1. The hooks incorrectly treat sctp_endpoint in SCTP as request_sock in
TCP, while it's in fact no more than an extension of the sock, and
represents the local host. It is created when sock is created, not
when a conn request comes. sctp_association is actually the correct
one to represent the connection, and created when a conn request
arrives.
2. security_sctp_assoc_request() hook should also be called in processing
COOKIE ECHO, as that's the place where the real assoc is created and
used in the future.
The problems above may cause accept sk, peeloff sk or client sk having
the incorrect security labels.
So this patchset is to change some hooks and pass asoc into them and save
these secids into asoc, as well as add the missing sctp_assoc_request
hook into the COOKIE ECHO processing.
Xin Long (4):
security: pass asoc to sctp_assoc_request and sctp_sk_clone
security: call security_sctp_assoc_request in sctp_sf_do_5_1D_ce
security: add sctp_assoc_established hook
security: implement sctp_assoc_established hook in selinux
Documentation/security/SCTP.rst | 65 +++++++++++++++--------------
include/linux/lsm_hook_defs.h | 6 ++-
include/linux/lsm_hooks.h | 13 ++++--
include/linux/security.h | 18 +++++---
include/net/sctp/structs.h | 20 ++++-----
net/sctp/sm_statefuns.c | 31 ++++++++------
net/sctp/socket.c | 5 +--
security/security.c | 15 +++++--
security/selinux/hooks.c | 36 +++++++++++-----
security/selinux/include/netlabel.h | 4 +-
security/selinux/netlabel.c | 14 +++----
11 files changed, 135 insertions(+), 92 deletions(-)
--
2.27.0
next reply other threads:[~2021-10-22 6:36 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-22 6:36 Xin Long [this message]
2021-10-22 6:36 ` [PATCH net 1/4] security: pass asoc to sctp_assoc_request and sctp_sk_clone Xin Long
2021-10-22 15:35 ` Jakub Kicinski
2021-10-23 4:25 ` Xin Long
2021-10-24 13:50 ` Richard Haines
2021-10-22 6:36 ` [PATCH net 2/4] security: call security_sctp_assoc_request in sctp_sf_do_5_1D_ce Xin Long
2021-10-25 7:58 ` Ondrej Mosnacek
2021-10-22 6:36 ` [PATCH net 3/4] security: add sctp_assoc_established hook Xin Long
2021-10-24 18:45 ` kernel test robot
2021-10-25 5:01 ` kernel test robot
2021-10-25 8:01 ` Ondrej Mosnacek
2021-10-22 6:36 ` [PATCH net 4/4] security: implement sctp_assoc_established hook in selinux Xin Long
2021-10-25 8:17 ` Ondrej Mosnacek
2021-10-25 10:51 ` Xin Long
2021-10-25 12:08 ` Ondrej Mosnacek
[not found] ` <CADvbK_eE9VhB2cWzHSk_LNm_VemEt9vm=FMMVYzo5eVH=zEhKw@mail.gmail.com>
2021-10-25 21:51 ` Paul Moore
2021-10-26 4:47 ` Xin Long
2021-10-26 20:30 ` Paul Moore
2021-10-27 4:00 ` Xin Long
2021-10-27 14:41 ` Paul Moore
2021-10-24 13:42 ` [PATCH net 0/4] security: fixups for the security hooks in sctp Richard Haines
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1634884487.git.lucien.xin@gmail.com \
--to=lucien.xin@gmail.com \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=kuba@kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=richard_c_haines@btinternet.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).