Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp362352pxb; Thu, 17 Feb 2022 05:54:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJyvTetqrjWA9/4fG8+eR2sVc2KZNtplmzySv4r+e8JBbI2tv8d7U69T5NFot+SlOYLrIktp X-Received: by 2002:a17:90a:9106:b0:1b9:115a:a2c1 with SMTP id k6-20020a17090a910600b001b9115aa2c1mr7465664pjo.80.1645106075463; Thu, 17 Feb 2022 05:54:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645106075; cv=none; d=google.com; s=arc-20160816; b=0qNSyuKemwyJ0PkeP4eOt91EdHuH/ZxgewcfOFCUmvec4Rss3BwQg/wkDLrj/Kgj5Y qqYzMLNF7/qGVRVzzEfNrehfQ7ZlOQqgrkcurEWTrAN+mMIZ4LaFOHnELq2SlhrZxwBJ rdo/o1ZGxxjK5sFIl2Ku9OF1xKs3YL/4Im+ZBgezmuswje8buj2Zt7CSa2tDm0HgS99l Cj7ZH4TJflGEK3tXBcAMmEnFjhJTFPWQRVQzbOJojA3+gZT0Z5PsbvvHhRM8xK4o68Tf nwMkhIlPkNLoR7JSJR0Jg/9vFGCr1eKckAN833c2yD1O8vSIbwmCCCTVpD796IHxeg0O wxtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ReDjgTa0AKl3IhETSr6eHHzRQ7oTYlVeTlr0c09qyCU=; b=JHTwdiY3xNPcncHdzO07SeNvzTgHakEhV5LSUJlIzCVJ3YJZkzGo/pv0mBfZyrKQpg xC3KDTt4e3ioP9iGEtXMnBmML9iz2BP304gRiJJs91aDKuDY/IdEHRJ5n+NoWvnOTv0f Jx09c5nYxLE5qRhKuD3FwwOyM30FIzve/RQE7pIUN8MDcsV8pt7iG2cP0pj4aoiCLxmU //Avnizk4VqCSxoo8MG8CUtAYOvolJWGEEqI7YHJPvAxJc7QDOgpgT595qj8c6Kmz6zJ O1LJiOe7cq1lG3IfoIVp6wKfntPPwifmN+wLrNOHJceQjqYoXbrFGe6rUntjkngYwzsi gC8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=C51xbD7N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id lp15si977294pjb.135.2022.02.17.05.54.19; Thu, 17 Feb 2022 05:54:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=C51xbD7N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240021AbiBQNmZ (ORCPT + 99 others); Thu, 17 Feb 2022 08:42:25 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:37984 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241226AbiBQNmW (ORCPT ); Thu, 17 Feb 2022 08:42:22 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 6448E2AC6E for ; Thu, 17 Feb 2022 05:41:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1645105304; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ReDjgTa0AKl3IhETSr6eHHzRQ7oTYlVeTlr0c09qyCU=; b=C51xbD7NZyBoQByKZNy0d604ZKP2izVrxoN9MAdURCE+OSoDzlRZs+E7wP+TEfnLHg/S1T U2BQnRI+HZnKG1fDAY7Jug/TzxHZ4pDPd+4COuWiThVTFrssox4M9MXF/GpbToqrLJVSke 4aiWmwnBWXun9WX4uqR3YncskDj6I9E= Received: from mail-yb1-f200.google.com (mail-yb1-f200.google.com [209.85.219.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-223-_VL-Elj3NgmSyAz7SD73AQ-1; Thu, 17 Feb 2022 08:41:43 -0500 X-MC-Unique: _VL-Elj3NgmSyAz7SD73AQ-1 Received: by mail-yb1-f200.google.com with SMTP id a12-20020a056902056c00b0061dc0f2a94aso9991905ybt.6 for ; Thu, 17 Feb 2022 05:41:42 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ReDjgTa0AKl3IhETSr6eHHzRQ7oTYlVeTlr0c09qyCU=; b=XvqB6+SfkC5ZBAV2T+OARqg9vzkd5oGymJFyNc6Rw9Gd9ZmbqcsF8H+vgcadiT88Jh oDeFX+Nn7BMvsjaYSi9j9TpXdNAnPZL3hTbz0YGBm/paj82M8jWwt4T6afWH46fx6BmJ j0AK8KZ6U2V3NGuNlEiG5benb63xFYBDMXPvnk3vdxCjaYfCO2G++3C91Ln6ELaflBRk 7Eqq8AKvg1ZOy6Z00XRahfZkNZG7oqc6jswtcj3N/7IEAczWgAm7t6tRNqmay4E3uhVM 8oSqoLXwBzi+XxYtUwGNcKE4BaoNpOjwx9SP5EPB/734ti6uuZ0OCVwoll9NFDH1IzmB 0oTQ== X-Gm-Message-State: AOAM533MbT9ptDy4Ed6FdMlkI2f5nUcOEmzWnPkAEGZqFLVycp1cklDY 4EHXOff4qLs1r/rhRaTGOlov+yPFx0pNE9O27DW5C4JMIrrZUEII1agd5l7hIuqCIVyA56bNT2s 5Uzt5EBWOBenlG1/5yi4SznSC9uuBw8nzyAL5gNLm X-Received: by 2002:a25:be8a:0:b0:608:67d7:22fe with SMTP id i10-20020a25be8a000000b0060867d722femr2386865ybk.336.1645105302509; Thu, 17 Feb 2022 05:41:42 -0800 (PST) X-Received: by 2002:a25:be8a:0:b0:608:67d7:22fe with SMTP id i10-20020a25be8a000000b0060867d722femr2386846ybk.336.1645105302231; Thu, 17 Feb 2022 05:41:42 -0800 (PST) MIME-Version: 1.0 References: <20220212175922.665442-1-omosnace@redhat.com> <20220212175922.665442-3-omosnace@redhat.com> <20220214165436.1f6a9987@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> In-Reply-To: From: Ondrej Mosnacek Date: Thu, 17 Feb 2022 14:41:30 +0100 Message-ID: Subject: Re: [PATCH net v3 2/2] security: implement sctp_assoc_established hook in selinux To: Paul Moore Cc: Xin Long , Marcelo Ricardo Leitner , Jakub Kicinski , netdev , David Miller , SElinux list , Richard Haines , Vlad Yasevich , Neil Horman , "open list:SCTP PROTOCOL" , LSM List , LKML , Prashanth Prahlad Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 15, 2022 at 9:03 PM Paul Moore wrote: > On Mon, Feb 14, 2022 at 11:13 PM Xin Long wrote: > > Looks okay to me. > > > > The difference from the old one is that: with > > selinux_sctp_process_new_assoc() called in > > selinux_sctp_assoc_established(), the client sksec->peer_sid is using > > the first asoc's peer_secid, instead of the latest asoc's peer_secid. > > And not sure if it will cause any problems when doing the extra check > > sksec->peer_sid != asoc->peer_secid for the latest asoc and *returns > > err*. But I don't know about selinux, I guess there must be a reason > > from selinux side. > > Generally speaking we don't want to change any SELinux socket labels > once it has been created. While the peer_sid is a bit different, > changing it after userspace has access to the socket could be > problematic. In the case where the peer_sid differs between the two > we have a permission check which allows policy to control this > behavior which seems like the best option at this point. I think that maybe Xin was referring to the fact that on error return from the hook the return code information is lost and the assoc is just silently dropped (but I may have misunderstood). In case of a denial (avc_has_perm() returning -EACCESS) this isn't much of a problem, because the denial is logged in the audit log, so there is a way to figure out why opening the association failed. In case of other errors we could indeed do better and either log an SELINUX_ERR audit event or at least pr_err() into the console, but there are likely several other existing cases like this, so it would be best to do this cleanup independently in another patch (if anyone feels up to the task...). -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.