Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp681847pxf; Wed, 17 Mar 2021 13:18:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwcMimjIylkBmJI1CSIxE/YtsvRwnRIHVBvIKgFzF6oJyf0VEP/6YMzR1frMZok7c20cN6+ X-Received: by 2002:a17:906:71c3:: with SMTP id i3mr25232580ejk.391.1616012309219; Wed, 17 Mar 2021 13:18:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616012309; cv=none; d=google.com; s=arc-20160816; b=mb3vdhV/IGOYb6eae3G1y0mG8marMDNjOYUp8Rv0dJWRaTHIryFv6kKrRZM/clwPv0 XsMG2/lxpYcLyS56wJV9qFAanYSwMnvCk9qq6kY4KmKXf6nvwknbCxS5X3Zq6UXhEFI5 75JNLfjLxbZ3aCNoajEPaDjsKswAMPIYswRpvNJYACfKqVhlTH6oGCu9N3UHDZj0JDGt jDdjrOyMx7rRiKCB1IuGrvQ+mlQlUJtZR4jIjRo2dkNcNO/EBOPRRLtnNwGhznGkV4jW tDscCrLIRpWXyHGdwA0V/5XFUD7YOF6ke85U9/0hVUUQEo6+SaghhugjQSdwaWUg8SfP f4wQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=QEOloMvNgoHGwfPYaOtLBZt1tGk9z+wArHjNJYI6x+w=; b=TxauQPZFyhPuECVV++d7AGrs5ZlL/JgaB43Y+96EXmtr+0C63Gs/tFvF4EMmMdvcTh cBIasSDmwzsH3px3yU0zAKUDSeDoGDvDUYgXVSF9l+D5bXB2AvreVcx2bYU+NVTXcnt0 2SOO4utGVdHeTsuRqG4o4aJ9VbO0AnIItkjjE7EtMalCf+BWZypKz3V/kalgUADOFtgD cv6cqiO90LNN6lzTMnbPirpO1ebaRPuXFFeIWxG9WS4aVsOHoObPSIcT9ylv7g12R+BV olLYPjIT3NhIt/Scul97+0RsE/aidhCQ1HHqNwqd6tJl2/oKxs8pZ3OHvev4RzijtrNi j+Zg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=UlaIdchI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g19si15062720eds.96.2021.03.17.13.18.06; Wed, 17 Mar 2021 13:18:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=UlaIdchI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233269AbhCQURK (ORCPT + 99 others); Wed, 17 Mar 2021 16:17:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45532 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232499AbhCQUQj (ORCPT ); Wed, 17 Mar 2021 16:16:39 -0400 Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4E279C06174A for ; Wed, 17 Mar 2021 13:16:39 -0700 (PDT) Received: by mail-ej1-x630.google.com with SMTP id va9so358425ejb.12 for ; Wed, 17 Mar 2021 13:16:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QEOloMvNgoHGwfPYaOtLBZt1tGk9z+wArHjNJYI6x+w=; b=UlaIdchIMdvi/d1HMbomidYmolKkRGGG72Ut18zENfsjoTbv1aDeRsouser7JUEzqI 9lCfZ7qjup3e1vRK9Xu4o1tkavKruWXdMzBIVvgZal+Sm/7RZ+YYYUzbnmauXGdHEywk I19g8U3fx1gLO92it6EU+oyJESyO6EXh+KbyjkioJePZ9Kqq/wWEi8iEyX6Igae83hqB HZtVJ4mDbZNtS8YUXFkoIdVC8+WhOuUJ6SBduQUGWkIOoA49zXdj4peBD3woqzUj/UbP Mspw7LEf+mD+R+O1Nox5CYoU5VBRR5beWYwRY4Mbzdpf8B7qKfNpkuVfYZlEL43hYOrp u6gA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QEOloMvNgoHGwfPYaOtLBZt1tGk9z+wArHjNJYI6x+w=; b=Z0yaIFkAANA8u7GwvR2m+WTJvZfmKcfaQaDv0gQbqpAsMe4izvzghv+jvOYnIQtkR3 tysEQ/hLKA8Lb1hvetueY3Hs9zNtsqZK38eX01G5g4wZ+teNixNpTELqAktmk3+7BPoe nFY3m80zT32RycCTvnfQm9mGzZ7MkbHYpIfLXwpnvX1UQL6o4l7Cjpxs/yg+fbdfOyMu 0lPSYp+/NMEVyor3DuZ0yIcxjy/S1ZgaVbs0gX7nt5pC8xqm88GWKzzucBAGk/RkyMNA pi/gtjuBqBoGMJK27U6vCSDTmmc0s71ECc9bPqjLWtATlwVj/Bw028H/tPaWdkwIQAA2 PBDA== X-Gm-Message-State: AOAM532qz73KLjkpXflxIGLJC2o5sDj3VjjApXKxrFoPEoEnbSPKKx3u jbOTZZ9SXKQkYTNqrZykoqcKYkVOJc5WDxoY4yUt X-Received: by 2002:a17:906:3ac3:: with SMTP id z3mr37990797ejd.106.1616012197980; Wed, 17 Mar 2021 13:16:37 -0700 (PDT) MIME-Version: 1.0 References: <20210317154448.1034471-1-dbrazdil@google.com> In-Reply-To: <20210317154448.1034471-1-dbrazdil@google.com> From: Paul Moore Date: Wed, 17 Mar 2021 16:16:27 -0400 Message-ID: Subject: Re: [PATCH] selinux: vsock: Set SID for socket returned by accept() To: David Brazdil Cc: selinux@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, "David S . Miller" , Jakub Kicinski , James Morris , "Serge E . Hallyn" , Stephen Smalley , Eric Paris , Kees Cook , Jeff Vander Stoep , Alistair Delva Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 17, 2021 at 11:44 AM David Brazdil wrote: > > For AF_VSOCK, accept() currently returns sockets that are unlabelled. > Other socket families derive the child's SID from the SID of the parent > and the SID of the incoming packet. This is typically done as the > connected socket is placed in the queue that accept() removes from. > > Implement an LSM hook 'vsock_sk_clone' that takes the parent (server) > and child (connection) struct socks, and assigns the parent SID to the > child. There is no packet SID in this case. > > Signed-off-by: David Brazdil > --- > This is my first patch in this part of the kernel so please comment if I > missed anything, specifically whether there is a packet SID that should > be mixed into the child SID. > > Tested on Android. > > include/linux/lsm_hook_defs.h | 1 + > include/linux/lsm_hooks.h | 7 +++++++ > include/linux/security.h | 5 +++++ > net/vmw_vsock/af_vsock.c | 1 + > security/security.c | 5 +++++ > security/selinux/hooks.c | 10 ++++++++++ > 6 files changed, 29 insertions(+) Additional comments below, but I think it would be a good idea for you to test your patches on a more traditional Linux distribution as well as Android. > diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c > index 5546710d8ac1..a9bf3b90cb2f 100644 > --- a/net/vmw_vsock/af_vsock.c > +++ b/net/vmw_vsock/af_vsock.c > @@ -755,6 +755,7 @@ static struct sock *__vsock_create(struct net *net, > vsk->buffer_size = psk->buffer_size; > vsk->buffer_min_size = psk->buffer_min_size; > vsk->buffer_max_size = psk->buffer_max_size; > + security_vsock_sk_clone(parent, sk); Did you try calling the existing security_sk_clone() hook here? I would be curious to hear why it doesn't work in this case. Feel free to educate me on AF_VSOCK, it's entirely possible I'm misunderstanding something here :) > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index ddd097790d47..7b92d6f2e0fd 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -5616,6 +5616,15 @@ static int selinux_tun_dev_open(void *security) > return 0; > } > > +static void selinux_socket_vsock_sk_clone(struct sock *sock, struct sock *newsk) > +{ > + struct sk_security_struct *sksec_sock = sock->sk_security; > + struct sk_security_struct *sksec_new = newsk->sk_security; > + > + /* Always returns 0 when packet SID is SECSID_NULL. */ > + WARN_ON_ONCE(selinux_conn_sid(sksec_sock->sid, SECSID_NULL, &sksec_new->sid)); > +} If you are using selinux_conn_sid() with the second argument always SECSID_NULL it probably isn't the best choice; it ends up doing a simple "sksec_new->sid = sksec_sock->sid" ... which gets us back to this function looking like a reimplementation of selinux_sk_clone_security(), minus the peer_sid and sclass initializations (which should be important things to have). I strongly suggest you try making use of the existing security_sk_clone() hook in the vsock code, it seems like a better way to solve this problem. -- paul moore www.paul-moore.com