Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp6317071pxb; Mon, 14 Feb 2022 22:45:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJwGrBNYsVcpvtbwPRDg/wQGjPhMEDgyfdFFX9VTnafc5WdF5u6h0VA5Fa7nRYZCwhITUnY/ X-Received: by 2002:a63:fb0c:: with SMTP id o12mr2314249pgh.542.1644907504468; Mon, 14 Feb 2022 22:45:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644907504; cv=none; d=google.com; s=arc-20160816; b=fTdSLeCapRQ6sRoQtuEIAXxy0pixEpBCn9atmpD9F5YpwkKcWDmj3dBb7gIQgDEU0W ++ng6OEYXlQmRaMwSjbyO6tIMG8x0Ovy07wGdggorJMRIU+oYevbEFW9LoEUu6YrWYGG wlZ7Xu+9XyjnEGzgVKCxC+YCxLC993BdpBH+TAV/kSGgrtsFVrJG5kLKDidXr96rZfXi CnbBQOSRuLNH80YiEYKym8CKwzwJyWrVBJVriBgIE6w25bXgprKbMJfzhdVZRoNJT3IP Sx6P/Tgr7tUSDb5zp65rckRfsYN1oGmsaGY6K4Kjmuh5SPjBhABfb/cdj6UETT2vgEWK BoZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=DyvZcNLcNBSonuNQofcH6r4vfSuYjf5nJGslJ4n/qE4=; b=F9Ah931FWloW+Jz4MgPNpMan0Wt03gknbt86wxHkJ7KCwg36eGjFbgaoyfxIhw5qrW hkiEY7cn+TxmKZZoqM5rWCR1NARrpBztwILzYvbjxLQhzCE5M0nsES+oQWkCyns6itan fIVUWwLQzA0QgjWM17kkpcetcemEde/0s6+yYhRTmiuW1TGY/PGisRmlGQyMP23pYGdT OJLUnTRpOAE3FwT1K9l3oOCVW8QRcc9Qw3NZWcSrDyHy7k3tknCFRZX1HrPuS3rHyvM5 Un/XBn15Js/0DK82dQbjQJKg8bvkRKy7FaPdr3d5QjTilQsZxxuho+DVbErz2JLqH4wb YiLw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=WP3m4zx5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h11si13844487plf.242.2022.02.14.22.44.49; Mon, 14 Feb 2022 22:45:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=WP3m4zx5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233887AbiBOENk (ORCPT + 99 others); Mon, 14 Feb 2022 23:13:40 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:43620 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230351AbiBOENi (ORCPT ); Mon, 14 Feb 2022 23:13:38 -0500 Received: from mail-oo1-xc2b.google.com (mail-oo1-xc2b.google.com [IPv6:2607:f8b0:4864:20::c2b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 15C6CB5636; Mon, 14 Feb 2022 20:13:30 -0800 (PST) Received: by mail-oo1-xc2b.google.com with SMTP id c7-20020a4ad207000000b002e7ab4185d2so21807457oos.6; Mon, 14 Feb 2022 20:13:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DyvZcNLcNBSonuNQofcH6r4vfSuYjf5nJGslJ4n/qE4=; b=WP3m4zx5iAED+MlyniilJaQ8dYODxawV3LXi59r6FavYU3Q90OjEW8PGEnuHFVPFdE PRFq+jn4S8vOOBIlNc+enPj3UwsfUVJ3l7PI0MXJd/6RM6fnTuinYCK72n9nw3k3aFwd n/1xK/xbZUgAarqQJcUysW/DlF04L8iqhEztebgko+SaNoB8JQotYdqXfa4jOAtC8eld x5so6nyEXBShFb+H4gfNLn55La5yDaoB1lwJ2uRbETbFGFvAEa52K0N/KLtwBDPE+dxa wKEyNfA3V1oxAMoX46YIKaCn2UtZ5ZiI9e7HBqDsozqXS63p4946bVd57d06KIA7YxZN EXag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DyvZcNLcNBSonuNQofcH6r4vfSuYjf5nJGslJ4n/qE4=; b=p76qjpMhrD09wBSh8pynHmzn9FmrSiJKWqVqpiAHIsEwUlaRfw4ZJ9f0YVY/VSYXF6 Q5HecezufXUXpMwC0sB3JJhD09p2Io1qJqvgBsNv0XcnXR6J4t6hpE1IlBMoHWlWfkAm igRJxD4EE4wdxP023/NYZuxBm/iAJAkrg545j4p8LN/kJl+Ai6aKbAw0X8Z6SDHuP4Vs 7PyUMieFG6hnAONVI9v9jCrYDXDsyEBgVryuvODOdT25NABT5MAMsft3Q0d5U5orSNAX hmHoTMeNfdA0zN81U3/8prnXVNrxQvj7PRKNbr3Q+ol5z28rxD2WupaskZMMhTF23rbB 5xmQ== X-Gm-Message-State: AOAM532x2GlvDvGAdEeXHFXaKqBiCnSIMNzIAuKH3gc4UTMMQXmC1sP4 RjJqZn0EG3G0jI/6FY6Wn+l9uUImkiIB3e9UvoXu7ZZZEzjvkQ== X-Received: by 2002:a05:6870:5496:: with SMTP id f22mr726575oan.42.1644898409361; Mon, 14 Feb 2022 20:13:29 -0800 (PST) MIME-Version: 1.0 References: <20220212175922.665442-1-omosnace@redhat.com> <20220212175922.665442-3-omosnace@redhat.com> <20220214165436.1f6a9987@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> In-Reply-To: From: Xin Long Date: Tue, 15 Feb 2022 12:13:17 +0800 Message-ID: Subject: Re: [PATCH net v3 2/2] security: implement sctp_assoc_established hook in selinux To: Marcelo Ricardo Leitner Cc: Jakub Kicinski , Paul Moore , Ondrej Mosnacek , netdev , David Miller , SElinux list , Richard Haines , Vlad Yasevich , Neil Horman , "open list:SCTP PROTOCOL" , LSM List , LKML , Prashanth Prahlad Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 15, 2022 at 11:58 AM Marcelo Ricardo Leitner wrote: > > > > Em seg., 14 de fev. de 2022 21:54, Jakub Kicinski escreveu: >> >> On Mon, 14 Feb 2022 17:14:04 -0500 Paul Moore wrote: >> > If I can get an ACK from one of the SCTP and/or netdev folks I'll >> > merge this into the selinux/next branch. >> >> No objections here FWIW, I'd defer the official acking to the SCTP >> maintainers. > > > None from my side either, but I really want to hear from Xin. He has worked on this since day 0. > Looks okay to me. The difference from the old one is that: with selinux_sctp_process_new_assoc() called in selinux_sctp_assoc_established(), the client sksec->peer_sid is using the first asoc's peer_secid, instead of the latest asoc's peer_secid. And not sure if it will cause any problems when doing the extra check sksec->peer_sid != asoc->peer_secid for the latest asoc and *returns err*. But I don't know about selinux, I guess there must be a reason from selinux side. I will ACK on patch 0/2. Thanks Ondrej for working on this patiently.