Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp631796pxb; Thu, 17 Feb 2022 11:11:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJyxL9jykumlRPm8cF6OAmE4S8HnBwV6JQzrUidi07FqMwjsiYkaRpULlo731j2MGBEEVor+ X-Received: by 2002:a17:906:3905:b0:6cf:7ef5:fee0 with SMTP id f5-20020a170906390500b006cf7ef5fee0mr3442577eje.307.1645125085409; Thu, 17 Feb 2022 11:11:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645125085; cv=none; d=google.com; s=arc-20160816; b=WEsLvrvsGn6vyghw9NDQE2eVwLjv60pRRT5eJRMHW/nxxLCboHs2iQREzlYs6AErNo gqC5ufLa0Zk8B9R/FEv5RECJNiQsIConK4zP9DpZ0iq48nGXf+jZrh+gtoCDQkgCIxXR G0BFz4rfHKEm12DwJaQ2e3Lh8MGJ4l/C5DGM9XKtOu6uJ03t9LHMiZGej7wElX8HqCbx mGPH9m4TQwsrjhltIooT3F9O7mZjT6+3oAv+o02ynvsjT6KKIxx/ZWo8gcMIceT12MdA /jYFblsomG9zyNlncVAk2Z3kBaed2ExSsPYmayQ25u4Nw+KDszItTck3dm6NhLHZpOps gS9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=R+uKxN/uQ3UdKZRYgJ9V9aHz1upM2XpQ82bT5M0IFbI=; b=jjZ/LakGLjGrYObpZVa7JOM4EoPCzhDhZUuXXBszYl/Thq1iU5BdwYNoL9BbxL3y6H VpwG4lKCApW0OYCPiz/uYFIlWN/71NnbBM498rLbIvrvY+KR6uTfsOXAdS2OlW0vJnB5 Snp3oldP4LL6GYBmiyi2ldNApUArRKNJPeNK3cxLqZ3hqWS0zE5joiREgsqNXCfGTT5S tFeMNOI8ug5JbgmpBwEYxyJDJAF68glZZ2zFOCYJRKHV3+H9LhB1e6GBmCLE6EjHhy2k e4BO/FG8fh7Plb4JfeKwZrDZ2FpaQ5eap40NWbm/psCgYQXIK+wBz/bmie0kJ4zF/YIM x7MQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gGnqVU2y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hc40si2887452ejc.804.2022.02.17.11.11.01; Thu, 17 Feb 2022 11:11:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gGnqVU2y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240976AbiBQNdO (ORCPT + 99 others); Thu, 17 Feb 2022 08:33:14 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:56824 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240940AbiBQNdN (ORCPT ); Thu, 17 Feb 2022 08:33:13 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E87AE1F3F36 for ; Thu, 17 Feb 2022 05:32:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1645104778; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=R+uKxN/uQ3UdKZRYgJ9V9aHz1upM2XpQ82bT5M0IFbI=; b=gGnqVU2yYB6qu+9Y1ne+Lwo9n10yDlILg0hZMNwN3iLa49JU2KpR+WKE9alE8SLoyIP1fi DnuACwKZeFyl03C+oyFV5lkYiIVBJt/kswjMrM2JBhgxZEMTygoOeqpA/uQOi8EwRbDQoP 8/ZrwMLdm1Nytfh/0ctYcboXRKq41lQ= Received: from mail-yw1-f199.google.com (mail-yw1-f199.google.com [209.85.128.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-656-FKl9UXs9MLq2gqoO6TTDKA-1; Thu, 17 Feb 2022 08:32:57 -0500 X-MC-Unique: FKl9UXs9MLq2gqoO6TTDKA-1 Received: by mail-yw1-f199.google.com with SMTP id 00721157ae682-2d61b4ef6cdso11630157b3.11 for ; Thu, 17 Feb 2022 05:32:57 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=R+uKxN/uQ3UdKZRYgJ9V9aHz1upM2XpQ82bT5M0IFbI=; b=QRaVo8FTgxPRUddWfB/+OFUmal7jaa6Me4GiPSQJUcdUWNBPeauE3C3J0/plenRnHq wOC1IgKr/i/CFS4+N6ddEQ3e5QBLhCwnuZylG/y15T1uV1nQlikXL7URq40WZbcFX9Xu 9liWSc4hfHIDa2IY9SHyNddkwxT3+Z/T/vt+H3rKaB5tqbkAIui5pJUFnSf03hyJHYJI +dBuKmSWKk8vmAH+xQAZhNzyx6MM17ZFCkyqr5ndlGA39Eyz2x8T+BtITc39H4Ydp/mu agwG/u+ghaOHZKN80wd29AgeA0TIfV6cYd3EGoW4ePpNcusS6sbDH129PwKFKWOvgmUQ tykA== X-Gm-Message-State: AOAM5323xNg6OJ4g4iTTtZ8w3K59iLAlas/xUnTPjW8rHSTGC/izuztW hqU4istzEmnS0W6BNjS2z3ryXtEZz7tMo4WTi3baHmstcVnbavUq9BaELIf45RcQdaE+UPKwye+ 1pRjStLqP531vDMPiRYrg7rj4kb9RyXtQJU0N8Sao X-Received: by 2002:a81:52cd:0:b0:2d6:93e0:f1b2 with SMTP id g196-20020a8152cd000000b002d693e0f1b2mr2533107ywb.245.1645104776599; Thu, 17 Feb 2022 05:32:56 -0800 (PST) X-Received: by 2002:a81:52cd:0:b0:2d6:93e0:f1b2 with SMTP id g196-20020a8152cd000000b002d693e0f1b2mr2533075ywb.245.1645104776330; Thu, 17 Feb 2022 05:32:56 -0800 (PST) MIME-Version: 1.0 References: <20220212175922.665442-1-omosnace@redhat.com> <20220212175922.665442-3-omosnace@redhat.com> In-Reply-To: From: Ondrej Mosnacek Date: Thu, 17 Feb 2022 14:32:44 +0100 Message-ID: Subject: Re: [PATCH net v3 2/2] security: implement sctp_assoc_established hook in selinux To: Paul Moore Cc: network dev , "David S. Miller" , Jakub Kicinski , SElinux list , Xin Long , Richard Haines , Vlad Yasevich , Neil Horman , Marcelo Ricardo Leitner , "linux-sctp @ vger . kernel . org" , Linux Security Module list , Linux kernel mailing list , Prashanth Prahlad Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 14, 2022 at 11:14 PM Paul Moore wrote: > On Sat, Feb 12, 2022 at 12:59 PM Ondrej Mosnacek wrote: > > > > Do this by extracting the peer labeling per-association logic from > > selinux_sctp_assoc_request() into a new helper > > selinux_sctp_process_new_assoc() and use this helper in both > > selinux_sctp_assoc_request() and selinux_sctp_assoc_established(). This > > ensures that the peer labeling behavior as documented in > > Documentation/security/SCTP.rst is applied both on the client and server > > side: > > """ > > An SCTP socket will only have one peer label assigned to it. This will be > > assigned during the establishment of the first association. Any further > > associations on this socket will have their packet peer label compared to > > the sockets peer label, and only if they are different will the > > ``association`` permission be validated. This is validated by checking the > > socket peer sid against the received packets peer sid to determine whether > > the association should be allowed or denied. > > """ > > > > At the same time, it also ensures that the peer label of the association > > is set to the correct value, such that if it is peeled off into a new > > socket, the socket's peer label will then be set to the association's > > peer label, same as it already works on the server side. > > > > While selinux_inet_conn_established() (which we are replacing by > > selinux_sctp_assoc_established() for SCTP) only deals with assigning a > > peer label to the connection (socket), in case of SCTP we need to also > > copy the (local) socket label to the association, so that > > selinux_sctp_sk_clone() can then pick it up for the new socket in case > > of SCTP peeloff. > > > > Careful readers will notice that the selinux_sctp_process_new_assoc() > > helper also includes the "IPv4 packet received over an IPv6 socket" > > check, even though it hadn't been in selinux_sctp_assoc_request() > > before. While such check is not necessary in > > selinux_inet_conn_request() (because struct request_sock's family field > > is already set according to the skb's family), here it is needed, as we > > don't have request_sock and we take the initial family from the socket. > > In selinux_sctp_assoc_established() it is similarly needed as well (and > > also selinux_inet_conn_established() already has it). > > > > Fixes: 72e89f50084c ("security: Add support for SCTP security hooks") > > Reported-by: Prashanth Prahlad > > Based-on-patch-by: Xin Long > > Signed-off-by: Ondrej Mosnacek > > --- > > security/selinux/hooks.c | 90 +++++++++++++++++++++++++++++----------- > > 1 file changed, 66 insertions(+), 24 deletions(-) > > This patch, and patch 1/2, look good to me; I'm assuming this resolves > all of the known SELinux/SCTP problems identified before the new year? No, not really. There is still the inconsistency that peeloff sockets go through the socket_[post_]create hooks and then the label computed is overwritten by the sctp_sk_clone hook. But it's a different issue unrelated to this one. I'm still in the process of cooking up the patches and figuring out the consequences (other LSMs would be affected by the change, too, so it is tricky...). -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.