Received: by 10.192.165.148 with SMTP id m20csp3433275imm;
        Mon, 23 Apr 2018 06:34:17 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+P2TYtGB8bSChrD68jFSsB7P/BM0D6DmLPvE6tqZ3m/8Jsut9QDazyw83GnWZgaWFa2msy
X-Received: by 10.167.131.92 with SMTP id z28mr11510384pfm.237.1524490457474;
        Mon, 23 Apr 2018 06:34:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524490457; cv=none;
        d=google.com; s=arc-20160816;
        b=neixGjWFY7bCVpRcqMh2q/z6gqkMOqf/wWylDzhxrFcZVD2gwIaLbidexYw/+AzLxf
         2U3vALe8T6REY1aUasYb18c9EwxUKOb+xFataNQdfXN9oSgINgzSXz4y+iCrl69UPdPv
         i/3eKGVtTsBdVxEiMjxJ2S+GIsCeF8HweUFIlAmLq/b3XEx3m2opvaA/H0D6qZ8+xwaG
         UyCT9621SDgZqg+0dk13+lc/j+LZiywq8IE7MoXB2lpMP0GsiO53hEQjWvAcA1rsdQOY
         WKCC2xYhV5rzaQEFzmuy/R4U+XFSWtWWo3WVgyhXeba8e2dXdTVsvEBordxc6CDbQDrr
         k2Sw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature:arc-authentication-results;
        bh=MwmycSb2Z3vLqKx7Jk6MaqeWFf7bSrL18ppFc7RjFwU=;
        b=RfS+mJ2MRonSAtdo7tvBUbRBXzfMDLo+D4U3SaT3iumqfAO5iKYiYG/7p55Cx/zPq6
         642Zn2pqO/hKCADiCnprOmwFq6Yj2i3WHBHeg6A006CTqt85WvSFFbk1IWvpVUH9QX1j
         EBZ+KPeQMowQr06ggEf7vEhnuX5taiAfy47lhpRXd2KkTfTXFqa7RIzFf3MWeA71V6zd
         AvoMKGHnnc70L+vc3YEzKo2KS8X4ttXtWI4Cdntgdnq6l8XcZc/3ETNN2SaMCmyCgQm1
         seyCrKS4UR+NEfsAvfo5Hrgg+nG/zfLblniPaYwS5gvGTDaBolYoRQISgKkp1JfHez2V
         asRA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=qBEsFqSV;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x4si9883181pgt.575.2018.04.23.06.34.02;
        Mon, 23 Apr 2018 06:34:17 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=qBEsFqSV;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755403AbeDWNcD (ORCPT <rfc822;tanxianhu@gmail.com> + 99 others);
        Mon, 23 Apr 2018 09:32:03 -0400
Received: from mail-wr0-f193.google.com ([209.85.128.193]:38983 "EHLO
        mail-wr0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755200AbeDWNa6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 23 Apr 2018 09:30:58 -0400
Received: by mail-wr0-f193.google.com with SMTP id q3-v6so31315007wrj.6;
        Mon, 23 Apr 2018 06:30:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=MwmycSb2Z3vLqKx7Jk6MaqeWFf7bSrL18ppFc7RjFwU=;
        b=qBEsFqSVWenEPIPYn9LnsIQugC5F7mYDGObFbtiCtOxwYG92q6+ajHLAtqYJRNt0ZM
         3k72A5iwruFIqsOZkAA9TalYM/K9KBOzp/IWiilN/BBvdq6YC1Ke9YY1NQL34wDv0Zao
         fBoafDF/ebFauww/GmnYxy5vJTIsRPpcOXz2fdqmJkC1aYyfns7bOR8A6eWiGrjzIp4p
         ztkj8/LdeXJslNCZBEwnYzJKy9rGaWrFbKu4RqROFaE/aEXJu8aqfAixBLMQ++UoMAG3
         3azY7ETUHv4FMzIs6VLfyUMPC3SMx818KKNuWZX/UziEIOnxBQgg99hSFcAMe+r5qJyq
         K4RA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=MwmycSb2Z3vLqKx7Jk6MaqeWFf7bSrL18ppFc7RjFwU=;
        b=Mhi/UkHq85ozSYMLxNvp+S3C/kKutGPOUHmm0TUQ9JyEed2uiU6SP5TqUgx1qREkyT
         /Xg5LH/zf0jl18Vc8oC/AfRFALC25GZ5ZC6mJ4IXEDf8jzJRgC9nRKl51zZffxdJjX1y
         Cm+s8Pfx6SMkttTJJKh3JQfU3aIJUtAb+aLwfp1YTGxICt/J5CF/Yip1Tm+TnAilutSj
         YtAJSJj42wsFwQ7c+98b7Q66+DxSzG3Rk7wY3mDU+YhhqPrzkGrZFr2ZpEtnyU1gm9+u
         bwSn26U6Vv/MLe1iL3zFJwAt6nQ+45wAqksI7zeKGQuhFaOdMR2wSI9sMcc5r9TWEe+R
         4bjw==
X-Gm-Message-State: ALQs6tBk93Whah6eG8bzUMFTI+1FNimGpZ7C0a4qzrgY9bilZo3reqVI
        sV2iUEskHEKl3CQ8jteSxBG4Jw==
X-Received: by 2002:adf:b859:: with SMTP id u25-v6mr17799384wrf.162.1524490256058;
        Mon, 23 Apr 2018 06:30:56 -0700 (PDT)
Received: from david-x1.fritz.box (p200300C2A3FE3000ECB787D771B96788.dip0.t-ipconnect.de. [2003:c2:a3fe:3000:ecb7:87d7:71b9:6788])
        by smtp.gmail.com with ESMTPSA id 78sm10262548wmm.19.2018.04.23.06.30.54
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 23 Apr 2018 06:30:55 -0700 (PDT)
From:   David Herrmann <dh.herrmann@gmail.com>
To:     linux-kernel@vger.kernel.org
Cc:     James Morris <jmorris@namei.org>, Paul Moore <paul@paul-moore.com>,
        teg@jklm.no, Stephen Smalley <sds@tycho.nsa.gov>,
        selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org,
        Eric Paris <eparis@parisplace.org>, serge@hallyn.com,
        davem@davemloft.net, netdev@vger.kernel.org,
        David Herrmann <dh.herrmann@gmail.com>
Subject: [PATCH 1/3] security: add hook for socketpair(AF_UNIX, ...)
Date:   Mon, 23 Apr 2018 15:30:13 +0200
Message-Id: <20180423133015.5455-2-dh.herrmann@gmail.com>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180423133015.5455-1-dh.herrmann@gmail.com>
References: <20180423133015.5455-1-dh.herrmann@gmail.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Right now the LSM labels for socketpairs are always uninitialized,
since there is no security hook for the socketpair() syscall. This
patch adds the required hooks so LSMs can properly label socketpairs.
This allows SO_PEERSEC to return useful information on those sockets.

Note that the behavior of socketpair() can be emulated by creating a
listener socket, connecting to it, and then discarding the initial
listener socket. With this workaround, SO_PEERSEC would return the
caller's security context. However, with socketpair(), the uninitialized
context is returned unconditionally. This is unexpected and makes
socketpair() less useful in situations where the security context is
crucial to the application.

With the new socketpair-hook this disparity can be solved by making
socketpair() return the expected security context.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
---
 include/linux/lsm_hooks.h | 8 ++++++++
 include/linux/security.h  | 7 +++++++
 security/security.c       | 6 ++++++
 3 files changed, 21 insertions(+)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 9d0b286f3dba..2a23c75c1541 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -717,6 +717,12 @@
  *	@other contains the peer sock structure.
  *	@newsk contains the new sock structure.
  *	Return 0 if permission is granted.
+ * @unix_stream_socketpair:
+ *	Check permissions before establishing a Unix domain stream connection
+ *	for a fresh pair of sockets.
+ *	@socka contains the first sock structure.
+ *	@sockb contains the second sock structure.
+ *	Return 0 if permission is granted and the connection was established.
  * @unix_may_send:
  *	Check permissions before connecting or sending datagrams from @sock to
  *	@other.
@@ -1651,6 +1657,7 @@ union security_list_options {
 #ifdef CONFIG_SECURITY_NETWORK
 	int (*unix_stream_connect)(struct sock *sock, struct sock *other,
 					struct sock *newsk);
+	int (*unix_stream_socketpair)(struct sock *socka, struct sock *sockb);
 	int (*unix_may_send)(struct socket *sock, struct socket *other);
 
 	int (*socket_create)(int family, int type, int protocol, int kern);
@@ -1919,6 +1926,7 @@ struct security_hook_heads {
 	struct hlist_head inode_getsecctx;
 #ifdef CONFIG_SECURITY_NETWORK
 	struct hlist_head unix_stream_connect;
+	struct hlist_head unix_stream_socketpair;
 	struct hlist_head unix_may_send;
 	struct hlist_head socket_create;
 	struct hlist_head socket_post_create;
diff --git a/include/linux/security.h b/include/linux/security.h
index 200920f521a1..be275deeda10 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1187,6 +1187,7 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32
 #ifdef CONFIG_SECURITY_NETWORK
 
 int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk);
+int security_unix_stream_socketpair(struct sock *socka, struct sock *sockb);
 int security_unix_may_send(struct socket *sock,  struct socket *other);
 int security_socket_create(int family, int type, int protocol, int kern);
 int security_socket_post_create(struct socket *sock, int family,
@@ -1242,6 +1243,12 @@ static inline int security_unix_stream_connect(struct sock *sock,
 	return 0;
 }
 
+static inline int security_unix_stream_socketpair(struct sock *socka,
+						  struct sock *sockb)
+{
+	return 0;
+}
+
 static inline int security_unix_may_send(struct socket *sock,
 					 struct socket *other)
 {
diff --git a/security/security.c b/security/security.c
index 7bc2fde023a7..3dfd374e84e5 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1340,6 +1340,12 @@ int security_unix_stream_connect(struct sock *sock, struct sock *other, struct s
 }
 EXPORT_SYMBOL(security_unix_stream_connect);
 
+int security_unix_stream_socketpair(struct sock *socka, struct sock *sockb)
+{
+	return call_int_hook(unix_stream_socketpair, 0, socka, sockb);
+}
+EXPORT_SYMBOL(security_unix_stream_socketpair);
+
 int security_unix_may_send(struct socket *sock,  struct socket *other)
 {
 	return call_int_hook(unix_may_send, 0, sock, other);
-- 
2.17.0