Hello everyone, Investigating the yet still spuriously failing SCTP ASCONF test [1] has led me to realize that the SCTP_PARAM_* chunk handling is in fact severely flawed. The SCTP_PARAM_* code paths reuse the security_sctp_bind_connect() hook, but that hook uses the current task's sid when checking the socket::connect permission, which is not correct, since there is no guarantee on the task context in which the incoming ASCONF packet will be processed. The relevant selinux-testsuite test [1] expects the subject sid to be the one of the server, which has been true only by accident, as SCTP often processes the incoming ASCONF chunk via softirq right after it is sent. This seems tricky to fix, as we don't have any appropriate subject context at hand at the time of receiving the ASCONF chunk... Any ideas? In the meantime I intend to remove the problematic test from the testsuite as it is currently impossible to define the expected subject context... [1] https://github.com/SELinuxProject/selinux-testsuite/blob/378fd34e70753aec709c9de533966775d917b585/tests/sctp/test#L290-L307 -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
