On Thu, Mar 02, 2017 at 03:45:40PM -0500, Stephen Smalley wrote:
> On Wed, 2017-02-22 at 17:03 +0000, Richard Haines wrote:
<snip>
> > + return err;
> > +}
> > +
> > +static int selinux_sctp_accept_conn(struct sctp_endpoint *ep,
> > + struct sk_buff *skb)
> > +{
> > + struct sk_security_struct *sksec = ep->base.sk->sk_security;
> > + int err;
> > + u32 connsid;
> > + u32 peersid;
> > +
> > + /* Have COOKIE ECHO so compute the MLS component for the
> > connection
> > + * and store the information in ep. This will only be used
> > by
> > + * TCP/peeloff connections as they cause a new socket to be
> > generated.
>
> Not sure why you say TCP above. And won't this be true of accept()'d
Probably just a typo, should be SCTP instead.
> sockets too in addition to peeloff ones?
Speaking of accept() path, I think we have an issue there with this
patch, because it's doing:
@@ -7683,8 +7717,6 @@ void sctp_copy_sock(struct sock *newsk, struct
sock *sk,
- security_sk_clone(sk, newsk);
@@ -7829,6 +7862,11 @@ static void sctp_sock_migrate(struct sock *oldsk,
struct
+ security_sctp_sk_clone(oldep, oldsk, newsk);
But sctp_copy_sock() is called from places other than
sctp_sock_migrate, mainly:
net/sctp/ipv6.c: sctp_copy_sock(newsk, sk, asoc);
net/sctp/protocol.c: sctp_copy_sock(newsk, sk, asoc);
Which are on the accept() path.
Ideally it's better to keep the call to security_sctp_sk_clone in
sctp_copy_sock() to get those covered too.
Marcelo
>
> > + * selinux_sctp_sk_clone() will then plug this into the new
> > socket
> > + * as described in Documentation/security/LSM-sctp.txt
> > + */
> > + err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
> > &peersid);
> > + if (err)
> > + return err;
> > +
> > + err = selinux_conn_sid(sksec->sid, peersid, &connsid);
> > + if (err)
> > + return err;
> > +
> > + ep->secid = connsid;
> > + ep->peer_secid = peersid;
> > +
> > + return 0;
> > +}
> > +
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
