There are a couple of problems in the currect security hooks in sctp: 1. The hooks incorrectly treat sctp_endpoint in SCTP as request_sock in TCP, while it's in fact no more than an extension of the sock, and represents the local host. It is created when sock is created, not when a conn request comes. sctp_association is actually the correct one to represent the connection, and created when a conn request arrives. 2. security_sctp_assoc_request() hook should also be called in processing COOKIE ECHO, as that's the place where the real assoc is created and used in the future. The problems above may cause accept sk, peeloff sk or client sk having the incorrect security labels. So this patchset is to change some hooks and pass asoc into them and save these secids into asoc, as well as add the missing sctp_assoc_request hook into the COOKIE ECHO processing. v1->v2: - See each patch, and thanks the help from Ondrej, Paul and Richard. Xin Long (4): security: pass asoc to sctp_assoc_request and sctp_sk_clone security: call security_sctp_assoc_request in sctp_sf_do_5_1D_ce security: add sctp_assoc_established hook security: implement sctp_assoc_established hook in selinux Documentation/security/SCTP.rst | 65 +++++++++++++++-------------- include/linux/lsm_hook_defs.h | 6 ++- include/linux/lsm_hooks.h | 13 ++++-- include/linux/security.h | 17 +++++--- include/net/sctp/structs.h | 20 ++++----- net/sctp/sm_statefuns.c | 31 ++++++++------ net/sctp/socket.c | 5 +-- security/security.c | 15 +++++-- security/selinux/hooks.c | 34 ++++++++++----- security/selinux/include/netlabel.h | 4 +- security/selinux/netlabel.c | 18 ++++---- 11 files changed, 133 insertions(+), 95 deletions(-) -- 2.27.0