Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp280757pxb; Tue, 15 Feb 2022 13:12:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJw+vnEDhWqj60qIzpe8kLuLghayFB5+DWHKXiE2mE58FVwimPocHw3c3rtwNGs2RW6+tgWl X-Received: by 2002:a05:6402:d0d:: with SMTP id eb13mr872466edb.24.1644959534537; Tue, 15 Feb 2022 13:12:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644959534; cv=none; d=google.com; s=arc-20160816; b=UOJ3cgXaTWOC5iObyX5bTiEaTS8ruGGEfxa/0nnI/hSL0UduVHhb//BH4zb+ST1HZQ bXN8lQYFSfShOjOMSWQOib/qXK8ujZyuQfSlu81si9j8E8BYx0QH/6ETyid9uIi6uzOp /YLchg4iwWBh1E5jQlopilesbuF544x8CiC2sEQ5RG4T7fCo383R6w5F+jM77tdQgcdg 9n48HwJgfG26wZ+AoPU7V99d0epfTWRGRJz3emn/ROiHtH1CB9ZWN5so29rhBWvrY1Cf org2dmwHYqxHp1SHx10/cKTkL2GVfOKTfPZf3hoxiKmcLSHE6XWVoAJbwaITj0nDcE8T 428g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=56tbQJVv90RABsQ0i0ptzrDmdvS83ZrjWE0KJ5/Juw8=; b=IVvmMnAhh5n4EdBnRznBJtIBGfctomXSHLq5YqxOVvYIuvqpFn145O0G2mnm2PlyLs d1KbVC4oIYGO2yxPZpbx3dwg13rk0wOkU7mYJseCN2u/0FeEV+0FU3EoY/vp0L/cCVO5 kO0fEUbyGaDAnQHurycuqqRC8OoTeyfIis8HtmzAbVuXu2/ICVNWnw8GYcM9Jh6P9osS O5WljzGxkeHuhh6MSwF5tAPZaX1Fx+xl3l0d1WnFJBuIdkAEvjWcz8Kbb3MEnZLoZRe9 1t0lp0TwISU6lwecRLSzv+PGtHsOSdlNXU9OtSMr7BUXPR6smniAPw+2kN/2tkuUnyls Kn9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=sFifZ3ib; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 13si20232869ejf.580.2022.02.15.13.11.50; Tue, 15 Feb 2022 13:12:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=sFifZ3ib; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243942AbiBOUD3 (ORCPT + 99 others); Tue, 15 Feb 2022 15:03:29 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:45716 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243953AbiBOUD0 (ORCPT ); Tue, 15 Feb 2022 15:03:26 -0500 Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 62AED71C97 for ; Tue, 15 Feb 2022 12:03:04 -0800 (PST) Received: by mail-ed1-x52b.google.com with SMTP id z22so184341edd.1 for ; Tue, 15 Feb 2022 12:03:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=56tbQJVv90RABsQ0i0ptzrDmdvS83ZrjWE0KJ5/Juw8=; b=sFifZ3ibKjhu/WnpE7XgZp/C2bXZ7ift+MmeAVSa1hznUw6Wm07gSdft5d2fUe2Vn2 RjiRCYgEeTYyWMTxD06Z5LMTyKQZ5RluV4mRPZ8hVkTVElWuISequYHNfnVgs1JVpq+h xxaHe/Iv+2TTmvgqWPO0LZnQEBReR69V0AMuYUHxpEJAkG1St+MhQIgNHgZL37cOQaFq LwC5kUW7OHpEbm/5XIti6ajkRvwQWpQC5DoqvzT+ZOX325bSVD1WtjOMcq8+I+dZAQAv QXaY6x7vFTvffge/EC02QtULgmF6djGu6x5pF2BUtiqlB5PHHwiNmQmkGDrJbIl2VAHu 4iAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=56tbQJVv90RABsQ0i0ptzrDmdvS83ZrjWE0KJ5/Juw8=; b=gJBcGfJKD+8RxPuFJHtrPuI+ItlMSSrk3oeajCz7ROudykgBH77rxT27cgAre6sNx2 0hC0RIRvXiu6B8GUIK+NfLMB0AWQ9l5d0OLjO6wM/sbR+femgeaXSEQ+58Fez/BvEkuz VjwWzfFP9Y2LlLxm6vSAr3q7fNPe/EyjoyPn71GdkQaaIT9dVygMnvEqHJXqb1V0x/Pg p94dP+xzOpbpzwQjhX1WhfUFH2J4NcXkV3kric1WekgvmOKxpSN6wfHztN4ubpHjVdfz aNc7VXrGuJi5LjZVQMUi/fjztG556+tk0qQHQCrQAH0yEUEhWVpmtOWzIDPLkha3RK9j iGpg== X-Gm-Message-State: AOAM533NsKKZpPxIeVV5aTA5BVttc4hQ1fPknWJ52NOx+cWumqnQEZHO pA/luLqYXMoZ2Spy8ht2I2A3O378HuKShEDBZ/Hu X-Received: by 2002:a05:6402:35ca:: with SMTP id z10mr606628edc.43.1644955382916; Tue, 15 Feb 2022 12:03:02 -0800 (PST) MIME-Version: 1.0 References: <20220212175922.665442-1-omosnace@redhat.com> <20220212175922.665442-3-omosnace@redhat.com> <20220214165436.1f6a9987@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> In-Reply-To: From: Paul Moore Date: Tue, 15 Feb 2022 15:02:51 -0500 Message-ID: Subject: Re: [PATCH net v3 2/2] security: implement sctp_assoc_established hook in selinux To: Xin Long Cc: Marcelo Ricardo Leitner , Jakub Kicinski , Ondrej Mosnacek , netdev , David Miller , SElinux list , Richard Haines , Vlad Yasevich , Neil Horman , "open list:SCTP PROTOCOL" , LSM List , LKML , Prashanth Prahlad Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 14, 2022 at 11:13 PM Xin Long wrote: > Looks okay to me. > > The difference from the old one is that: with > selinux_sctp_process_new_assoc() called in > selinux_sctp_assoc_established(), the client sksec->peer_sid is using > the first asoc's peer_secid, instead of the latest asoc's peer_secid. > And not sure if it will cause any problems when doing the extra check > sksec->peer_sid != asoc->peer_secid for the latest asoc and *returns > err*. But I don't know about selinux, I guess there must be a reason > from selinux side. Generally speaking we don't want to change any SELinux socket labels once it has been created. While the peer_sid is a bit different, changing it after userspace has access to the socket could be problematic. In the case where the peer_sid differs between the two we have a permission check which allows policy to control this behavior which seems like the best option at this point. > I will ACK on patch 0/2. Thanks, I'm going to go ahead and merge these two patches into selinux/next right now. -- paul-moore.com