Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp5393452pxb; Sun, 7 Nov 2021 11:18:00 -0800 (PST) X-Google-Smtp-Source: ABdhPJxkkpG4+Jw1uHS9eoXkB+qa01bZfgFsRkhIsPLRFytT3wavr+eL9fTLR14jAwe3sHp3RI3g X-Received: by 2002:a05:6e02:c68:: with SMTP id f8mr52142388ilj.184.1636312680216; Sun, 07 Nov 2021 11:18:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1636312680; cv=none; d=google.com; s=arc-20160816; b=xaSQmuhcqsqNbwoiyHFR3givvhZF/ngu/ZHL8ObhOiA5DuYZlo/tQJVSItw5Vro1x/ xRI3DzbW4aYWB7r4MULwdqMIlVRJ6a5YngrIzf1Ujec1u+iMb7Khc1CWAiM6i9L3fbeY uVW1F0FK/9EA+5WaMHniLPa5YOk03NPwdAONBb3QksKimq9e7EZdGSygX3BNicjwal2J 1cFYYn2ROaWUS/cYoQlsmDbodty/n/8ZGIHgEBWMoBczTOjKJxhknGSMSVPgp6no30K6 a1FgJU4PWPFNxFQG+dXHN8rOv8ZPWo1K5hhPvjQBg8YoC4OQdF5eBQGKnrsPm7a6pZwy vl7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=y/8bLRVi7dxv/9MASDzNQG0suFX7w4MEKyGAhcaOmtQ=; b=BeREEy8RcQ+cyZyD7s/aIhf4wXtP5eW1gK+kreLZu/55s7edxcThCXckDqVUUT/wrd T9/Gmn790csDwBPCix+ySWAu+fWwVwCgt3ETwc5qsdX/O5sQdFIs+L1UHJIYb/TcxSLG dM3ossX95STPe9YXwOLWdlhFmZf6Y5Vsz5PFmLKcbUfI+ZDiIqguCM31W0qhlsx7yKnN ukq/7sF6MFlg1kEoLZGaqJHp3GerY32ASj6BzCq7Hqn8ZSTfISBq56yYVB/iatfnV5R1 rHz3HjcksQvZH3CNcaj5CF+XhKXHiTiaK0wmC9W6S1BtFMg9qqzeHwnjHki/QOHpMAQv s2rQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=yi3zBMtP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r12si29287121jad.37.2021.11.07.11.17.48; Sun, 07 Nov 2021 11:18:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=yi3zBMtP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233551AbhKGOPx (ORCPT + 99 others); Sun, 7 Nov 2021 09:15:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57400 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232667AbhKGOPw (ORCPT ); Sun, 7 Nov 2021 09:15:52 -0500 Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C63FC061764 for ; Sun, 7 Nov 2021 06:13:09 -0800 (PST) Received: by mail-ed1-x52d.google.com with SMTP id m14so51117000edd.0 for ; Sun, 07 Nov 2021 06:13:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=y/8bLRVi7dxv/9MASDzNQG0suFX7w4MEKyGAhcaOmtQ=; b=yi3zBMtPTUhA4YOSggoL1+XRKolOBDBTagP31xlRyE4I804LZUtIx7V2Vj9B4+Md4L pRySWKh2i3CnoSO31LrzU9xpG5Vdd9QCpNUYKbxofcKTXf/KCCZzpPxRZJYfPvmrX1G3 8sMifZJM0aZ53HfYhuYZvcMsmO1iIIRfxbusTFPCt6GGQw+VprCEnllCVNwuoe9lZgto jDVVp2ySWIS1wkymDhLxNzmtwFUmdDeXMVZvzHUZW6Xm2D2tpOl+VokFAguQIAr8Qaot f4F/HGoeBmHxU74v8DUovBi/OKDIs65LvbiQo8PNCUFeoA/A1QQQZAQ4iAkW21sLRsXa GJVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=y/8bLRVi7dxv/9MASDzNQG0suFX7w4MEKyGAhcaOmtQ=; b=ypl0mBV34hlvTTsEcS62Tfx7qboG7muSB5rCKQ4Xq953uyd0IfbQRJ0T9/KHeqb7VU t9Ex6+DAeuma77IRHgE29ekma0VF1dVxHgjyWrHpwRHfmb0nCPyp1Ng6iDse2coKKfSM vXbHyNUMt8nhju/5asnjPYLL4BlANkreu90clGwEh64LZfCJ98cdaSEmZDsmK88yD6zB PzYWtaFVFvQn7iAdoYNJHyrXwVyYY/BPoUWz426/cj5B4Ql2qhakjZzXDojEndAiI3RN okltJBo5eH9ZobsAs83dGVryExbIA2ktKMUFtoo4BIBf0+TJ+egjdSxMXeeT0TP9Hri0 +TGQ== X-Gm-Message-State: AOAM530Ox6IZT6LEDAJ7G34kueZRm9ve5l0hlWTLyqaITjlz0qo5t4DH KWmJ66m73J0fDMtOOGhw65XgGUFLZP64moC41wep X-Received: by 2002:a50:8dcb:: with SMTP id s11mr67368043edh.318.1636294387862; Sun, 07 Nov 2021 06:13:07 -0800 (PST) MIME-Version: 1.0 References: <20211104195949.135374-1-omosnace@redhat.com> In-Reply-To: <20211104195949.135374-1-omosnace@redhat.com> From: Paul Moore Date: Sun, 7 Nov 2021 09:12:57 -0500 Message-ID: Subject: Re: [PATCH net] selinux: fix SCTP client peeloff socket labeling To: Ondrej Mosnacek Cc: netdev@vger.kernel.org, davem@davemloft.net, kuba@kernel.org, Xin Long , Richard Haines , Vlad Yasevich , Neil Horman , Marcelo Ricardo Leitner , linux-sctp@vger.kernel.org, selinux@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 4, 2021 at 3:59 PM Ondrej Mosnacek wrote: > > The commit referenced in the "Fixes" tag mistakenly attempted to > preserve the label of the peeloff socket that had been set in > selinux_socket_post_create() in the case of a client socket. However, > the peeloff socket should in fact just inherit the label from the parent > socket. In practice these labels are usually the same, but they may > differ when setsockcreatecon(3) or socket type transition rules are > involved. > > The fact that selinux_socket_[post_]create() are called on the peeloff > socket is actually not what should be happening (it is a side effect of > sctp_do_peeloff() using socket_create() to create the socket, which > calls the aforementioned LSM hooks). A patch to fix this is being worked > on. > > In the meanwhile, at least fix sctp_assoc_established() to set > asoc->secid to the socket's sid and selinux_sctp_sk_clone() to > unconditionally get the peeloff socket's sid from asoc->secid, which > will ensure that the peeloff socket gets the right label in case of both > client and server SCTP socket. The label set by > selinux_socket_post_create() will be simply overwritten in both cases, > as was the case before the commit this patch is fixing. > > Passed both the selinux-testsuite (with client peeloff tests added) and > the SCTP functional test suite from lksctp-tools. > > Fixes: e7310c94024c ("security: implement sctp_assoc_established hook in selinux") > Based-on-patch-by: Xin Long > Signed-off-by: Ondrej Mosnacek > --- > > As agreed with Xin Long, I'm posting this fix up instead of him. I am > now fairly convinced that this is the right way to deal with the > immediate problem of client peeloff socket labeling. I'll work on > addressing the side problem regarding selinux_socket_post_create() > being called on the peeloff sockets separately. > > Please don't merge this patch without an ack from Paul, as it seems > we haven't reached an overall consensus yet. > > security/selinux/hooks.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) When we change things as significantly as we are doing here, i.e. shifting some of the labeling away from the endpoint to the association, I much rather we do it as a chunk/patchset so that we can review it in a consistent manner. Some of that has gone out the door here because of what I view as recklessness on the part of the netdev folks, but that doesn't mean we need to abandon all order. Let's get all the fixes and repairs queued up in a single patchset so that we can fully see what the end result of these changes are going to look like. Further, I think it would be good if at least one of the patches has a very clear explanation in the commit description (not the cover letter, I want to see this in the git log) of what happens with respect to labeling on the server side, the client side, during socket peeloffs on both ends, and how multiple associations are handled. My hope is that this should give us all a more consistent view, which will be very important moving forward if netdev is going to act independent of the other subsystems. -- paul moore www.paul-moore.com