On Mon, Oct 30, 2023 at 4:12 PM Kuniyuki Iwashima <kuniyu@xxxxxxxxxx> wrote:
>
> Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child
> sockets") introduced security_inet_conn_request() in some functions
> where reqsk is allocated. The hook is added just after the allocation,
> so reqsk's IPv6 remote address was not initialised then.
>
> However, SELinux/Smack started to read it in netlbl_req_setattr()
> after commit e1adea927080 ("calipso: Allow request sockets to be
> relabelled by the lsm.").
>
> Commit 284904aa7946 ("lsm: Relocate the IPv4 security_inet_conn_request()
> hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was
> not supported at that time. Finally, the same issue was introduced again
> in IPv6.
>
> Let's apply the same fix on DCCPv6 and TCPv6.
>
> Fixes: e1adea927080 ("calipso: Allow request sockets to be relabelled by the lsm.")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
> ---
> Cc: Huw Davies <huw@xxxxxxxxxxxxxxx>
> Cc: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
> net/dccp/ipv6.c | 6 +++---
> net/ipv6/syncookies.c | 7 ++++---
> 2 files changed, 7 insertions(+), 6 deletions(-)
Thanks for catching this and submitting a patch!
It seems like we should also update dccp_v4_conn_request(), what do you think?
> diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
> index 8d344b219f84..4550b680665a 100644
> --- a/net/dccp/ipv6.c
> +++ b/net/dccp/ipv6.c
> @@ -360,15 +360,15 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
> if (dccp_parse_options(sk, dreq, skb))
> goto drop_and_free;
>
> - if (security_inet_conn_request(sk, skb, req))
> - goto drop_and_free;
> -
> ireq = inet_rsk(req);
> ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
> ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
> ireq->ireq_family = AF_INET6;
> ireq->ir_mark = inet_request_mark(sk, skb);
>
> + if (security_inet_conn_request(sk, skb, req))
> + goto drop_and_free;
> +
> if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
> np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
> np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
> diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
> index 500f6ed3b8cf..12eedc6ca2cc 100644
> --- a/net/ipv6/syncookies.c
> +++ b/net/ipv6/syncookies.c
> @@ -181,14 +181,15 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
> treq = tcp_rsk(req);
> treq->tfo_listener = false;
>
> - if (security_inet_conn_request(sk, skb, req))
> - goto out_free;
> -
> req->mss = mss;
> ireq->ir_rmt_port = th->source;
> ireq->ir_num = ntohs(th->dest);
> ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
> ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
> +
> + if (security_inet_conn_request(sk, skb, req))
> + goto out_free;
> +
> if (ipv6_opt_accepted(sk, skb, &TCP_SKB_CB(skb)->header.h6) ||
> np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
> np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
> --
> 2.30.2
--
paul-moore.com
