Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1402349pxb; Thu, 21 Oct 2021 23:35:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzANK69iG/UHUrXJOa4iegIznXHdtkX2Nzm6NqZtjS3XLVsuLmxanRYk23nOJqj2Cc5kyD8 X-Received: by 2002:a17:906:3a43:: with SMTP id a3mr2777112ejf.354.1634884528967; Thu, 21 Oct 2021 23:35:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634884528; cv=none; d=google.com; s=arc-20160816; b=fR6KnThrkY4nq6oBUAQUGiFMnmBRCWORcs5HIb+OecmxbpYlMZuPN7GqomaNEoqZd1 b+otahOwtE7wVBk8Qw2nfwpNoRO9ptAD72XqtVbKP6Um9OXGloleFsUHzYF8asFXokiW /ZexRy9X9zBpAwkcpCuk5vkVBAt1pPiEE8vQqWcaFPDrX6Xyw/ydveqbsbra9McUBXGE fGRtPEKxoDnjU9VMyk3LZIbA6mVfyzdMHBDsNSyLJCR6swODF9ysrg0hu97HxDZ3ce4+ pxrP2iLzKBpu8vsIfY/hFfxuW2wUlxwtJjTME2xXGMtkckeLPlQqiiiiy/t9rM9zJfJV ugCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=K3ag/8I6dY0xnXzblFz/1w5mgGcBQvelgLc2shxtkfc=; b=UPgALKIpuwv3p07wWwUDixK5kPjVLDFWnufOBTX/djYn9nisT6n440JZPx8cDwR1+d p8AnVYOW/yp6spfWZNjkm2sopA55Db+hEeMEC2Wu8ZEeUoEdL77c5cn7+wXPSLgUIQHU 64wwSmj5ZJkpkAJOVXP1lq0NMxr90v7xemj4nBe6/GU1JSCsV6OjTNnjBuGnkwh05n4H ckV8qZfmOnH+IoEdSkbZzmAwtYg/xaxtYU1jTpxm/m7mvg8H5WvG4A5zb+gLfw3JMHcA C8M3TE3DqqD15QUBJlsCmmJgncm2ahfwiqwdTpTVVgaiETBwA6sv1Rza/hyINEtNPnZh rYxQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=PTQEtRJk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m4si9432871ejl.583.2021.10.21.23.35.03; Thu, 21 Oct 2021 23:35:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=PTQEtRJk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232006AbhJVGfZ (ORCPT + 99 others); Fri, 22 Oct 2021 02:35:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59610 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232057AbhJVGfW (ORCPT ); Fri, 22 Oct 2021 02:35:22 -0400 Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4ED58C061220; Thu, 21 Oct 2021 23:33:05 -0700 (PDT) Received: by mail-wm1-x331.google.com with SMTP id g79-20020a1c2052000000b00323023159e1so2197250wmg.2; Thu, 21 Oct 2021 23:33:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K3ag/8I6dY0xnXzblFz/1w5mgGcBQvelgLc2shxtkfc=; b=PTQEtRJkvbdBeeUpy0SiyY+F0rHKPnxxj2b5Rqzx40gPhHZTjIDHlWOqU1SWf9Ziso 7L4W22xUMO3/DeZnclGgp8yLPSDsuL5O/f4dgTTrKyomPfAsXmXCb45l4TxZmtGd6bo0 bJaOm7zJ/NDWtQzmEXnDIx1czxdgusih1AnMgVw7fsqim33dlN2lu+Acy811aBT2CxsY sNGnhxhLNUYffLBe8b+JONuyOBmuFJIAD/d1Rd4HFlhgwq6+bhviz5XfSC23vXhDLlCf ulrZsBlxyoTcZENsqmH8xAOvFKZMBOv5lSL1s5W62eat5DFy2x7SdBBos1fqHlx608kA CXBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K3ag/8I6dY0xnXzblFz/1w5mgGcBQvelgLc2shxtkfc=; b=yH0DHv5u5omkrciyd2mRq35KO6cTACwtrrYYfdyiW607Gy2BRKBLIlxFiRzLU7Fm9c mdFtVI3eVGyj+IL55kezSVzcqMnfabtHh5fheBguNAOZinlQ5hZD9hIJrKEfpbQSQnwb krBMq1zREh84MR0y7869YEtL2ONvtTlfSbImWTsVqEbLhzM8mT/s99nEh61SaEnA6mFH LT6A+S/SclYnbJf9OQR0SkwykUVSn/iFqCo3AvQh6b9YJUzEc9R1LJ6YtCMlNTSxVWUU /DG2FnWFSPmRVbyhqNoyVFS8dChZW5znWSCMwxOB9VBXMzdhB30jbkGA9xewEHNQ3j3i 1pTg== X-Gm-Message-State: AOAM531/xLG0OOP9WCfazi811gA2GY3PUBfKvcNiafRhkuiIX22KdGmH 2kCCNLVsYDXgku7Zdbaylfsi+TSUgv1/FdIVvgZ5Zu1oUSg= X-Received: by 2002:a1c:7dcb:: with SMTP id y194mr8906027wmc.8.1634884383912; Thu, 21 Oct 2021 23:33:03 -0700 (PDT) MIME-Version: 1.0 References: <20211021153846.745289-1-omosnace@redhat.com> In-Reply-To: From: Xin Long Date: Fri, 22 Oct 2021 14:32:52 +0800 Message-ID: Subject: Re: [PATCH] sctp: initialize endpoint LSM labels also on the client side To: Marcelo Ricardo Leitner Cc: Ondrej Mosnacek , Vlad Yasevich , Neil Horman , "linux-sctp @ vger . kernel . org" , network dev , selinux@vger.kernel.org, LSM List , LKML , Richard Haines Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 21, 2021 at 11:55 PM Marcelo Ricardo Leitner wrote: > > On Thu, Oct 21, 2021 at 05:38:46PM +0200, Ondrej Mosnacek wrote: > > The secid* fields in struct sctp_endpoint are used to initialize the > > labels of a peeloff socket created from the given association. Currently > > they are initialized properly when a new association is created on the > > server side (upon receiving an INIT packet), but not on the client side. > > +Cc Xin Thanks Marcelo, security_sctp_assoc_request() is not supposed to call on the client side, as we can see on TCP. The client side's labels should be set to the connection by selinux_inet_conn_request(). But we can't do it based on the current hooks. The root problem is that the current hooks incorrectly treat sctp_endpoint in SCTP as request_sock in TCP, while it should've been sctp_association. We need a bigger change on the current security sctp code. I will post the patch series in hand, please take a look.