Re: Bug in SELinux SCTP ASCONF handling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, May 31, 2022 at 7:53 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Tue, May 31, 2022 at 1:05 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> > Hello everyone,
> >
> > Investigating the yet still spuriously failing SCTP ASCONF test [1]
>
> FWIW, I haven't seen failures with the SCTP tests when doing my
> testing, but perhaps I've just been lucky with the timing windows.
>
> > has led me to realize that the SCTP_PARAM_* chunk handling is in fact
> > severely flawed. The SCTP_PARAM_* code paths reuse the
> > security_sctp_bind_connect() hook, but that hook uses the current
> > task's sid when checking the socket::connect permission, which is not
> > correct, since there is no guarantee on the task context in which the
> > incoming ASCONF packet will be processed.
> >
> > The relevant selinux-testsuite test [1] expects the subject sid to be
> > the one of the server, which has been true only by accident, as SCTP
> > often processes the incoming ASCONF chunk via softirq right after it
> > is sent.
> >
> > This seems tricky to fix, as we don't have any appropriate subject
> > context at hand at the time of receiving the ASCONF chunk... Any
> > ideas?

>From a quick skim of the SCTP RFCs, the ASCONF chunk is sent from a
remote endpoint to update the SCTP parameters so in this case I
believe the subject should be the remote peer (the association/sock's
peer_secid) and the object should be the local association/socket.
It's important to note that any access control checks using the remote
peer label should be gated by the selinux_peerlbl_enabled() function,
see selinux_socket_sock_rcv_skb() for an example.

I haven't looked too closely, but my initial gut feeling would be to
move the sock_has_perm() call out of selinux_socket_connect_helper()
and either modify the sock_has_perm() function to take the subject as
a parameter, or open code it inside selinux_sctp_bind_connect() using
the peer label.  I suspect the additional parameter will be cleaner
due to the common_audit_data requirement of avc_has_perm().

-- 
paul-moore.com
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux