Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp474381pxf; Wed, 17 Mar 2021 08:53:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwNrSwtA3bbhA7riHeNsN0WtipN2aycmQOAZz2/F6GnrPDo2qsMj3Qa1Amwh10a68KYFAP3 X-Received: by 2002:a17:906:110d:: with SMTP id h13mr36696591eja.357.1615996391694; Wed, 17 Mar 2021 08:53:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1615996391; cv=none; d=google.com; s=arc-20160816; b=n6r1m8LMSauUlIatAr3nTld43T7atAOcTohucetIq5PS2CqOP6HeVeRHKERGwfuM8J 9R/xjI0BItH+pDe+Xgw8PHMAwWQ8n+dW2HyVKOS3mmiZP6GdvGJJxuvfUcuqRyzFN14f U1/7Fct/u7fB4bynKOxKYvMDnXNu+nG2XUPx4c6ZZVoZxSxNFt0OAOCsg0/4vvadG1ye xfcM7Emjr/btYqZSphMIABf8nMnF7AC7UAdA/RXfZ1VHQuNwaCAxYyqjkSaHrYXzm+F/ Cx00duTyN3cSpmaOQCfCZEdgrG1UH+KbXbj95YJkd6X69Lexl8/6LrniVBm0LQjYU94+ C6SQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=eZ0IaSrEKtqBhBUO7kHmyEE/SbgsMqZRhisBRsFJTV8=; b=t5sTrR+/y4z76MV6AypxMRm0YEJgu+X+sXWn4k3aEnp3RHKwNNN911HxxOQ26nMldU lNpPWeeIFAgTmGKyqxOWSsecg86VzK79Q0tUYf10H/mJkIKdCg0mwu0Lbc3Cz8A7ONCR VQiu6Q0UMYDLDumtQM1PaMJUyIYPBSLHeo09XaS+vVbvDDglGTG5rnmo0pQ09pnzyxJB AmUFQqKgBf73tfi7mdOHbMC+nxr7JNb3LM2ucxCcDyx0fWEpFbE6pDXMJc9qCxp6fMAO nWlp4A0aG7+NLiVnIlayKkEGt1W6a0M+WuwTGtURMhz59DxkHzZIsgYxIC+fnTaEtEbM Bntw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=V7xt+yDM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r18si16046192eds.390.2021.03.17.08.52.49; Wed, 17 Mar 2021 08:53:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=V7xt+yDM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232391AbhCQPve (ORCPT + 99 others); Wed, 17 Mar 2021 11:51:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44424 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232626AbhCQPu6 (ORCPT ); Wed, 17 Mar 2021 11:50:58 -0400 Received: from mail-wr1-x44a.google.com (mail-wr1-x44a.google.com [IPv6:2a00:1450:4864:20::44a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C4A10C061762 for ; Wed, 17 Mar 2021 08:50:57 -0700 (PDT) Received: by mail-wr1-x44a.google.com with SMTP id x9so18444949wro.9 for ; Wed, 17 Mar 2021 08:50:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=eZ0IaSrEKtqBhBUO7kHmyEE/SbgsMqZRhisBRsFJTV8=; b=V7xt+yDM9UTZWAWIMbyOEfzgodCexInv09lKBQeNYN2aA78GKy7WIK53kbxOX9B23W WxTx6CZLYLVA6LkesJXPxaGgrXwZimaNJ4dsPBZ5QceNimMaXO+P00UEq1sMsn3jxo9x wjR98ct7z+GYONYBiOibp11AaMMk/icEbxM5To7snSBEvfrEHtNmRzfQjkj9EDvYrO1i OlMipoxsiKGPvjTRGHJJkvTlSLMvx34p3FU+1gMB0mkED+TO64NxyuoSlaCsmTdUsGiF BUa2vKUl8YWz2AQIBJ9Ildoiw6Mxb0mVxtArWBdkhxNsUAX6urwDA1nEifC7tCCb2FrV hTeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=eZ0IaSrEKtqBhBUO7kHmyEE/SbgsMqZRhisBRsFJTV8=; b=sEswnzwyBuL3NlYfF8tJ9/lOOZE0BALClPIKC2UvHeCAmf9hWnhz/prgIbEbIEsfE/ CzxNR2oiD2e+bSfbWjNU8fyPnxDrCQe7Vub0muiFOXNm6wvEtaYqOi4IwkXUdSjQlbv1 PIgskz438cqMicujKdLqDk7u8eI0KSA6LvmW2b8bNtvgo+WeN9dzFgCTZUVSlfOG9MEb i0OSemh1HEyB2xzaM1t0xg4upBFyhP7Vn2qrVx0LNl2kn9tZ2dJV5y9njEyzQok4WMuO AT9ROgDdrWhljcic66OtgB1UYDZOkBYJ/QmPM3HF/yf3Mc4AnbORK3FhZ9/PJazMUWyV UKxA== X-Gm-Message-State: AOAM532taYf0L62wdfUmshgsniBsx7yy7HFauP+3iB++jbyAt0AQ1nuu 4a/K2ux7UFhVoTHwssCKD6gI1Y5O2tYgBg== X-Received: from dbrazdil.c.googlers.com ([fda3:e722:ac3:10:28:9cb1:c0a8:7f9b]) (user=dbrazdil job=sendgmr) by 2002:a7b:cb89:: with SMTP id m9mr4267737wmi.27.1615995892631; Wed, 17 Mar 2021 08:44:52 -0700 (PDT) Date: Wed, 17 Mar 2021 15:44:48 +0000 Message-Id: <20210317154448.1034471-1-dbrazdil@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.31.0.rc2.261.g7f71774620-goog Subject: [PATCH] selinux: vsock: Set SID for socket returned by accept() From: David Brazdil To: selinux@vger.kernel.org Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, "David S . Miller" , Jakub Kicinski , James Morris , "Serge E . Hallyn" , Paul Moore , Stephen Smalley , Eric Paris , Kees Cook , Jeff Vander Stoep , Alistair Delva , David Brazdil Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org For AF_VSOCK, accept() currently returns sockets that are unlabelled. Other socket families derive the child's SID from the SID of the parent and the SID of the incoming packet. This is typically done as the connected socket is placed in the queue that accept() removes from. Implement an LSM hook 'vsock_sk_clone' that takes the parent (server) and child (connection) struct socks, and assigns the parent SID to the child. There is no packet SID in this case. Signed-off-by: David Brazdil --- This is my first patch in this part of the kernel so please comment if I missed anything, specifically whether there is a packet SID that should be mixed into the child SID. Tested on Android. include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 7 +++++++ include/linux/security.h | 5 +++++ net/vmw_vsock/af_vsock.c | 1 + security/security.c | 5 +++++ security/selinux/hooks.c | 10 ++++++++++ 6 files changed, 29 insertions(+) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 477a597db013..f35e422b2b5c 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -329,6 +329,7 @@ LSM_HOOK(int, 0, sctp_bind_connect, struct sock *sk, int optname, struct sockaddr *address, int addrlen) LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_endpoint *ep, struct sock *sk, struct sock *newsk) +LSM_HOOK(void, LSM_RET_VOID, vsock_sk_clone, struct sock *sock, struct sock *newsk) #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index fb7f3193753d..1b4e92990401 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1033,6 +1033,13 @@ * @sk pointer to current sock structure. * @sk pointer to new sock structure. * + * Security hooks for vSockets + * + * @vsock_sk_clone: + * Clone SID from the server socket to a newly connected child socket. + * @sock contains the sock structure. + * @newsk contains the new sock structure. + * * Security hooks for Infiniband * * @ib_pkey_access: diff --git a/include/linux/security.h b/include/linux/security.h index 8aeebd6646dc..ffac67058355 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1404,6 +1404,7 @@ int security_sctp_bind_connect(struct sock *sk, int optname, struct sockaddr *address, int addrlen); void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, struct sock *newsk); +void security_vsock_sk_clone(struct sock *sock, struct sock *newsk); #else /* CONFIG_SECURITY_NETWORK */ static inline int security_unix_stream_connect(struct sock *sock, @@ -1623,6 +1624,10 @@ static inline void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *newsk) { } + +static inline void security_vsock_sk_clone(struct sock *sock, struct sock *newsk) +{ +} #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index 5546710d8ac1..a9bf3b90cb2f 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -755,6 +755,7 @@ static struct sock *__vsock_create(struct net *net, vsk->buffer_size = psk->buffer_size; vsk->buffer_min_size = psk->buffer_min_size; vsk->buffer_max_size = psk->buffer_max_size; + security_vsock_sk_clone(parent, sk); } else { vsk->trusted = ns_capable_noaudit(&init_user_ns, CAP_NET_ADMIN); vsk->owner = get_current_cred(); diff --git a/security/security.c b/security/security.c index 5ac96b16f8fa..050b653405e0 100644 --- a/security/security.c +++ b/security/security.c @@ -2335,6 +2335,11 @@ void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, } EXPORT_SYMBOL(security_sctp_sk_clone); +void security_vsock_sk_clone(struct sock *sock, struct sock *newsk) +{ + call_void_hook(vsock_sk_clone, sock, newsk); +} +EXPORT_SYMBOL(security_vsock_sk_clone); #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ddd097790d47..7b92d6f2e0fd 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5616,6 +5616,15 @@ static int selinux_tun_dev_open(void *security) return 0; } +static void selinux_socket_vsock_sk_clone(struct sock *sock, struct sock *newsk) +{ + struct sk_security_struct *sksec_sock = sock->sk_security; + struct sk_security_struct *sksec_new = newsk->sk_security; + + /* Always returns 0 when packet SID is SECSID_NULL. */ + WARN_ON_ONCE(selinux_conn_sid(sksec_sock->sid, SECSID_NULL, &sksec_new->sid)); +} + #ifdef CONFIG_NETFILTER static unsigned int selinux_ip_forward(struct sk_buff *skb, @@ -7228,6 +7237,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), + LSM_HOOK_INIT(vsock_sk_clone, selinux_socket_vsock_sk_clone), #ifdef CONFIG_SECURITY_INFINIBAND LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), LSM_HOOK_INIT(ib_endport_manage_subnet, -- 2.31.0.rc2.261.g7f71774620-goog