2023-04-05 12:57:18

by Denis Arefev

[permalink] [raw]
Subject: [PATCH] net: Added security socket

Added security_socket_connect
kernel_connect is in kernel space,
but kernel_connect is used in RPC
requests (/net/sunrpc/xprtsock.c),
and the RPC protocol is used by the NFS server.
This is how we protect the TCP connection
initiated by the client.

Signed-off-by: Denis Arefev <[email protected]>
---
net/socket.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/net/socket.c b/net/socket.c
index 9c92c0e6c4da..9afa2b44a9e5 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -3526,6 +3526,12 @@ EXPORT_SYMBOL(kernel_accept);
int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen,
int flags)
{
+ int err;
+
+ err = security_socket_connect(sock, (struct sockaddr *)addr, addrlen);
+ if (err)
+ return err;
+
return sock->ops->connect(sock, addr, addrlen, flags);
}
EXPORT_SYMBOL(kernel_connect);
--
2.25.1


2023-04-05 16:48:39

by Jakub Kicinski

[permalink] [raw]
Subject: Re: [PATCH] net: Added security socket

On Wed, 5 Apr 2023 15:53:08 +0300 Denis Arefev wrote:
> Added security_socket_connect
> kernel_connect is in kernel space,
> but kernel_connect is used in RPC
> requests (/net/sunrpc/xprtsock.c),
> and the RPC protocol is used by the NFS server.
> This is how we protect the TCP connection
> initiated by the client.

Can you please format this to look like every other commit in the
kernel and use imperative mood?

Then please add to the description _exactly_ how you're going to use
it, i.e. an example of a real rule. And CC
[email protected]