Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp6459907pxb; Tue, 15 Feb 2022 02:58:59 -0800 (PST) X-Google-Smtp-Source: ABdhPJyujQonrLsiwoQhkoC8NxbB1TxdgCPgiEOgFkx5hET1PaeBe0MKUA/BBXuLq9/cI9VQH6Fm X-Received: by 2002:a62:d443:: with SMTP id u3mr3548310pfl.21.1644922738947; Tue, 15 Feb 2022 02:58:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644922738; cv=none; d=google.com; s=arc-20160816; b=sHTSk+8XMJ+MTQEanOxrcshKq34Yy+wieZTL5d/7FyVJlZLlrcQUexGgyyCzEmuz3m oI6gjt/pMKhV7F8rs4iTCZaPnV1JuzCKSzQJuyYgw3yIKFmATTD6agpl1LXdr5PCHTVK ho/o3G1QfPZFSW0TqPXeC2L7vVssvpqWVZP3NMorTqZj4xmKELrhUcmwmgNXuZw8Afzh lQQ/v1opwggXlvPPMv27gbXPCfTt+BQuQ7OfPyOIInuYcbyC6iQleBtaZ1ZXKQSU30fj 4GZfq0+GWZga9VlqgD891HV9JvXmqiDkdMnRw6tnAnWnpr/7iCMqdb+qcJWDD7X9ZG39 kIAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=01Reov67Ak1ygfT60tyjXg/E5IFhGxMI7kxwA5g4ZyM=; b=hFIvfb8zzlTQDzE36/29jQtVt+FNeg8Dk1gTlDRPZ7UN5VyKX/53Isv7KHiv5ANY2J EOwSnpBSsJbvDAtths78/ojcYxAX9L7Vbc+6qYsuh2O08CtaLZexN8b8Ov+PjHqq1koc txsVXX9ZORkoBEJ5LYgcFgbxk+OMi5Gmz9bAtf+xV75y4Rsrina44H9hFfeS/yqd1v/J i030Qj9Xbsw0ohTRdC5PDsdVXNV1XQ5lDQItczERwVRPE89pAaDUkkc8BSYMV4Qqxa5/ gyI1kEUNiJ9iAz4ynpTz4yIIRfhX95nigJQgwZ/BrHmms3veU6k+gqafdPm/I669+CAy GSiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=onHcTnnr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mw9si11347744pjb.14.2022.02.15.02.58.21; Tue, 15 Feb 2022 02:58:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=onHcTnnr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236014AbiBOJml (ORCPT + 99 others); Tue, 15 Feb 2022 04:42:41 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:38316 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229555AbiBOJmj (ORCPT ); Tue, 15 Feb 2022 04:42:39 -0500 X-Greylist: delayed 68 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Tue, 15 Feb 2022 01:42:27 PST Received: from re-prd-fep-044.btinternet.com (mailomta25-re.btinternet.com [213.120.69.118]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85F6D2C678; Tue, 15 Feb 2022 01:42:27 -0800 (PST) Received: from re-prd-rgout-001.btmx-prd.synchronoss.net ([10.2.54.4]) by re-prd-fep-047.btinternet.com with ESMTP id <20220215094117.GTWD23513.re-prd-fep-047.btinternet.com@re-prd-rgout-001.btmx-prd.synchronoss.net>; Tue, 15 Feb 2022 09:41:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1644918077; bh=01Reov67Ak1ygfT60tyjXg/E5IFhGxMI7kxwA5g4ZyM=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References:MIME-Version; b=onHcTnnrW4WCnKRqdkxuBRd07GbPtsX66B+GrLDMfQwWsohnkqMBz2DkaAIDBQzieWhz1toiEEuRGc7RmAHkp7Jd3TFlsSNPTS1dkdW91mvZ5+MsIgUzMElKeLyyQo1rgtB7eI/vvfQkQRjp9DEQHZNG2TfS2/y4NulukhnJHaT9FLZ+UOoT3WFuIsOTjX8Uf3OqpTEeuIW+EE4ZLYrRZ1eEC4Bb0W1nxIXVOAx7t80QUTfvvLkaLUC9HrRMVCOqldclPmbEccqvfHSCXSTRgbXOCyh3hlMZFbxjb99A6TpDGIQhX05CpdWTqBYa74nZ27GsKvaUoYybDewHHu6gjQ== Authentication-Results: btinternet.com; auth=pass (LOGIN) smtp.auth=richard_c_haines@btinternet.com; bimi=skipped X-SNCR-Rigid: 613A8CC314A977E6 X-Originating-IP: [81.154.227.201] X-OWM-Source-IP: 81.154.227.201 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedvvddrjeeggddtiecutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepkffuhffvffgjfhgtfggggfesthekredttderjeenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepueeitdegtdegvdffjeetfeeffedvgedvteetffeuueekueejkeevkefgfefffedunecuffhomhgrihhnpehkvghrnhgvlhdrohhrghdpghhithhhuhgsrdgtohhmnecukfhppeekuddrudehgedrvddvjedrvddtudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopegludelvddrudeikedruddrudelkegnpdhinhgvthepkedurdduheegrddvvdejrddvtddupdhmrghilhhfrhhomheprhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdpnhgspghrtghpthhtohepudefpdhrtghpthhtohepuggrvhgvmhesuggrvhgvmhhlohhfthdrnhgvthdprhgtphhtthhopehkuhgsrgeskhgvrhhnvghlrdhorhhgpdhrtghpthhtoheplhhinhhugidqkhgvrhhnvghlsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhrtghpthhtoheplhhinhhugidqshgt thhpsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhrtghpthhtoheplhhinhhugidqshgvtghurhhithihqdhmohguuhhlvgesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhopehluhgtihgvnhdrgihinhesghhmrghilhdrtghomhdprhgtphhtthhopehmrghrtggvlhhordhlvghithhnvghrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepnhgvthguvghvsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhrtghpthhtohepnhhhohhrmhgrnhesthhugigurhhivhgvrhdrtghomhdprhgtphhtthhopehomhhoshhnrggtvgesrhgvughhrghtrdgtohhmpdhrtghpthhtohepphgruhhlsehprghulhdqmhhoohhrvgdrtghomhdprhgtphhtthhopehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhrtghpthhtohepvhihrghsvghvihgthhesghhmrghilhdrtghomh X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from [192.168.1.198] (81.154.227.201) by re-prd-rgout-001.btmx-prd.synchronoss.net (5.8.716.04) (authenticated as richard_c_haines@btinternet.com) id 613A8CC314A977E6; Tue, 15 Feb 2022 09:41:17 +0000 Message-ID: Subject: Re: [PATCH net v3 0/2] security: fixups for the security hooks in sctp From: Richard Haines To: Ondrej Mosnacek , netdev@vger.kernel.org, davem@davemloft.net, kuba@kernel.org, selinux@vger.kernel.org, Paul Moore Cc: Xin Long , Vlad Yasevich , Neil Horman , Marcelo Ricardo Leitner , linux-sctp@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Date: Tue, 15 Feb 2022 09:41:17 +0000 In-Reply-To: <20220212175922.665442-1-omosnace@redhat.com> References: <20220212175922.665442-1-omosnace@redhat.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.3 (3.42.3-1.fc35) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 2022-02-12 at 18:59 +0100, Ondrej Mosnacek wrote: > This is a third round of patches to fix the SCTP-SELinux interaction > w.r.t. client-side peeloff. The patches are a modified version of Xin > Long's patches posted previously, of which only a part was merged > (the > rest was merged for a while, but was later reverted): > https://lore.kernel.org/selinux/cover.1635854268.git.lucien.xin@gmail.com/T/ > > In gist, these patches replace the call to > security_inet_conn_established() in SCTP with a new hook > security_sctp_assoc_established() and implement the new hook in > SELinux > so that the client-side association labels are set correctly (which > matters in case the association eventually gets peeled off into a > separate socket). > > Note that other LSMs than SELinux don't implement the SCTP hooks nor > inet_conn_established, so they shouldn't be affected by any of these > changes. > > These patches were tested by selinux-testsuite [1] with an additional > patch [2] and by lksctp-tools func_tests [3]. > > Changes since v2: > - patches 1 and 2 dropped as they are already in mainline (not > reverted) > - in patch 3, the return value of security_sctp_assoc_established() > is >   changed to int, the call is moved earlier in the function, and if > the >   hook returns an error value, the packet will now be discarded, >   aborting the association > - patch 4 has been changed a lot - please see the patch description > for >   details on how the hook is now implemented and why > > [1] https://github.com/SELinuxProject/selinux-testsuite/ > [2] > https://patchwork.kernel.org/project/selinux/patch/20211021144543.740762-1-omosnace@redhat.com/ > [3] https://github.com/sctp/lksctp-tools/tree/master/src/func_tests > > Ondrej Mosnacek (2): >   security: add sctp_assoc_established hook >   security: implement sctp_assoc_established hook in selinux > >  Documentation/security/SCTP.rst | 22 ++++---- >  include/linux/lsm_hook_defs.h   |  2 + >  include/linux/lsm_hooks.h       |  5 ++ >  include/linux/security.h        |  8 +++ >  net/sctp/sm_statefuns.c         |  8 +-- >  security/security.c             |  7 +++ >  security/selinux/hooks.c        | 90 ++++++++++++++++++++++++------- > -- >  7 files changed, 103 insertions(+), 39 deletions(-) > Built this patchset on kernel 5.17-rc4 with no problems. Tested using [PATCH testsuite v3] tests/sctp: add client peeloff tests Tested-by: Richard Haines