On Thu, Mar 02, 2017 at 03:45:40PM -0500, Stephen Smalley wrote: > On Wed, 2017-02-22 at 17:03 +0000, Richard Haines wrote: <snip> > > + return err; > > +} > > + > > +static int selinux_sctp_accept_conn(struct sctp_endpoint *ep, > > + struct sk_buff *skb) > > +{ > > + struct sk_security_struct *sksec = ep->base.sk->sk_security; > > + int err; > > + u32 connsid; > > + u32 peersid; > > + > > + /* Have COOKIE ECHO so compute the MLS component for the > > connection > > + * and store the information in ep. This will only be used > > by > > + * TCP/peeloff connections as they cause a new socket to be > > generated. > > Not sure why you say TCP above. And won't this be true of accept()'d Probably just a typo, should be SCTP instead. > sockets too in addition to peeloff ones? Speaking of accept() path, I think we have an issue there with this patch, because it's doing: @@ -7683,8 +7717,6 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, - security_sk_clone(sk, newsk); @@ -7829,6 +7862,11 @@ static void sctp_sock_migrate(struct sock *oldsk, struct + security_sctp_sk_clone(oldep, oldsk, newsk); But sctp_copy_sock() is called from places other than sctp_sock_migrate, mainly: net/sctp/ipv6.c: sctp_copy_sock(newsk, sk, asoc); net/sctp/protocol.c: sctp_copy_sock(newsk, sk, asoc); Which are on the accept() path. Ideally it's better to keep the call to security_sctp_sk_clone in sctp_copy_sock() to get those covered too. Marcelo > > > + * selinux_sctp_sk_clone() will then plug this into the new > > socket > > + * as described in Documentation/security/LSM-sctp.txt > > + */ > > + err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, > > &peersid); > > + if (err) > > + return err; > > + > > + err = selinux_conn_sid(sksec->sid, peersid, &connsid); > > + if (err) > > + return err; > > + > > + ep->secid = connsid; > > + ep->peer_secid = peersid; > > + > > + return 0; > > +} > > + > -- > To unsubscribe from this list: send the line "unsubscribe linux-sctp" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html