Message ID | 71602ec3cff6bf67d47fef520f64cb6bccba928c.1634884487.git.lucien.xin@gmail.com (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Paul Moore |
Headers | show |
Series | security: fixups for the security hooks in sctp | expand |
Hi Xin, Thank you for the patch! Yet something to improve: [auto build test ERROR on net/master] url: https://github.com/0day-ci/linux/commits/Xin-Long/security-fixups-for-the-security-hooks-in-sctp/20211022-143827 base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git 397430b50a363d8b7bdda00522123f82df6adc5e config: hexagon-buildonly-randconfig-r006-20211024 (attached as .config) compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project a709787cd988aaca847995bd08cc9348c9c6c956) reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/0day-ci/linux/commit/32fba59611e67404b515f7864aa67a3abd2f7978 git remote add linux-review https://github.com/0day-ci/linux git fetch --no-tags linux-review Xin-Long/security-fixups-for-the-security-hooks-in-sctp/20211022-143827 git checkout 32fba59611e67404b515f7864aa67a3abd2f7978 # save the attached .config to linux build tree COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 ARCH=hexagon If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp@intel.com> All error/warnings (new ones prefixed by >>): In file included from fs/open.c:19: >> include/linux/security.h:1651:2: error: void function 'security_sctp_assoc_established' should not return a value [-Wreturn-type] return 0; ^ ~ 1 error generated. -- In file included from fs/pipe.c:17: In file included from include/linux/pseudo_fs.h:4: In file included from include/linux/fs_context.h:14: >> include/linux/security.h:1651:2: error: void function 'security_sctp_assoc_established' should not return a value [-Wreturn-type] return 0; ^ ~ fs/pipe.c:755:15: warning: no previous prototype for function 'account_pipe_buffers' [-Wmissing-prototypes] unsigned long account_pipe_buffers(struct user_struct *user, ^ fs/pipe.c:755:1: note: declare 'static' if the function is not intended to be used outside of this translation unit unsigned long account_pipe_buffers(struct user_struct *user, ^ static fs/pipe.c:761:6: warning: no previous prototype for function 'too_many_pipe_buffers_soft' [-Wmissing-prototypes] bool too_many_pipe_buffers_soft(unsigned long user_bufs) ^ fs/pipe.c:761:1: note: declare 'static' if the function is not intended to be used outside of this translation unit bool too_many_pipe_buffers_soft(unsigned long user_bufs) ^ static fs/pipe.c:768:6: warning: no previous prototype for function 'too_many_pipe_buffers_hard' [-Wmissing-prototypes] bool too_many_pipe_buffers_hard(unsigned long user_bufs) ^ fs/pipe.c:768:1: note: declare 'static' if the function is not intended to be used outside of this translation unit bool too_many_pipe_buffers_hard(unsigned long user_bufs) ^ static fs/pipe.c:775:6: warning: no previous prototype for function 'pipe_is_unprivileged_user' [-Wmissing-prototypes] bool pipe_is_unprivileged_user(void) ^ fs/pipe.c:775:1: note: declare 'static' if the function is not intended to be used outside of this translation unit bool pipe_is_unprivileged_user(void) ^ static fs/pipe.c:1245:5: warning: no previous prototype for function 'pipe_resize_ring' [-Wmissing-prototypes] int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots) ^ fs/pipe.c:1245:1: note: declare 'static' if the function is not intended to be used outside of this translation unit int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots) ^ static 5 warnings and 1 error generated. -- In file included from fs/d_path.c:2: In file included from include/linux/syscalls.h:87: In file included from include/trace/syscall.h:7: In file included from include/linux/trace_events.h:10: In file included from include/linux/perf_event.h:59: >> include/linux/security.h:1651:2: error: void function 'security_sctp_assoc_established' should not return a value [-Wreturn-type] return 0; ^ ~ fs/d_path.c:320:7: warning: no previous prototype for function 'simple_dname' [-Wmissing-prototypes] char *simple_dname(struct dentry *dentry, char *buffer, int buflen) ^ fs/d_path.c:320:1: note: declare 'static' if the function is not intended to be used outside of this translation unit char *simple_dname(struct dentry *dentry, char *buffer, int buflen) ^ static 1 warning and 1 error generated. -- In file included from fs/statfs.c:2: In file included from include/linux/syscalls.h:87: In file included from include/trace/syscall.h:7: In file included from include/linux/trace_events.h:10: In file included from include/linux/perf_event.h:59: >> include/linux/security.h:1651:2: error: void function 'security_sctp_assoc_established' should not return a value [-Wreturn-type] return 0; ^ ~ >> fs/statfs.c:131:3: warning: 'memcpy' will always overflow; destination buffer has size 64, but size argument is 88 [-Wfortify-source] memcpy(&buf, st, sizeof(*st)); ^ 1 warning and 1 error generated. -- In file included from ipc/msg.c:33: >> include/linux/security.h:1651:2: error: void function 'security_sctp_assoc_established' should not return a value [-Wreturn-type] return 0; ^ ~ >> ipc/msg.c:496:20: warning: implicit conversion from 'int' to 'unsigned short' changes value from 32768000 to 0 [-Wconstant-conversion] msginfo->msgseg = MSGSEG; ~ ^~~~~~ include/uapi/linux/msg.h:87:38: note: expanded from macro 'MSGSEG' #define MSGSEG (__MSGSEG <= 0xffff ? __MSGSEG : 0xffff) ^~~~~~~~ include/uapi/linux/msg.h:86:36: note: expanded from macro '__MSGSEG' #define __MSGSEG ((MSGPOOL * 1024) / MSGSSZ) /* max no. of segments */ ~~~~~~~~~~~~~~~~~^~~~~~~~ 1 warning and 1 error generated. -- In file included from kernel/printk/printk.c:34: >> include/linux/security.h:1651:2: error: void function 'security_sctp_assoc_established' should not return a value [-Wreturn-type] return 0; ^ ~ kernel/printk/printk.c:175:5: warning: no previous prototype for function 'devkmsg_sysctl_set_loglvl' [-Wmissing-prototypes] int devkmsg_sysctl_set_loglvl(struct ctl_table *table, int write, ^ kernel/printk/printk.c:175:1: note: declare 'static' if the function is not intended to be used outside of this translation unit int devkmsg_sysctl_set_loglvl(struct ctl_table *table, int write, ^ static 1 warning and 1 error generated. -- In file included from fs/afs/dir.c:16: In file included from fs/afs/internal.h:25: In file included from include/net/sock.h:46: In file included from include/linux/netdevice.h:45: In file included from include/uapi/linux/neighbour.h:6: In file included from include/linux/netlink.h:9: In file included from include/net/scm.h:8: >> include/linux/security.h:1651:2: error: void function 'security_sctp_assoc_established' should not return a value [-Wreturn-type] return 0; ^ ~ fs/afs/dir.c:164:11: warning: format specifies type 'unsigned short' but the argument has type 'int' [-Wformat] ntohs(dbuf->blocks[tmp].hdr.magic)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/printk.h:446:60: note: expanded from macro 'printk' #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) ~~~ ^~~~~~~~~~~ include/linux/printk.h:418:19: note: expanded from macro 'printk_index_wrap' _p_func(_fmt, ##__VA_ARGS__); \ ~~~~ ^~~~~~~~~~~ include/linux/byteorder/generic.h:142:18: note: expanded from macro 'ntohs' #define ntohs(x) ___ntohs(x) ^~~~~~~~~~~ include/linux/byteorder/generic.h:137:21: note: expanded from macro '___ntohs' #define ___ntohs(x) __be16_to_cpu(x) ^~~~~~~~~~~~~~~~ include/uapi/linux/byteorder/little_endian.h:42:26: note: expanded from macro '__be16_to_cpu' #define __be16_to_cpu(x) __swab16((__force __u16)(__be16)(x)) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/uapi/linux/swab.h:105:2: note: expanded from macro '__swab16' (__builtin_constant_p((__u16)(x)) ? \ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 warning and 1 error generated. -- In file included from drivers/char/mem.c:25: In file included from include/linux/shmem_fs.h:11: In file included from include/linux/fs_parser.h:11: In file included from include/linux/fs_context.h:14: >> include/linux/security.h:1651:2: error: void function 'security_sctp_assoc_established' should not return a value [-Wreturn-type] return 0; ^ ~ drivers/char/mem.c:95:13: warning: no previous prototype for function 'unxlate_dev_mem_ptr' [-Wmissing-prototypes] void __weak unxlate_dev_mem_ptr(phys_addr_t phys, void *addr) ^ drivers/char/mem.c:94:29: note: expanded from macro 'unxlate_dev_mem_ptr' #define unxlate_dev_mem_ptr unxlate_dev_mem_ptr ^ drivers/char/mem.c:95:1: note: declare 'static' if the function is not intended to be used outside of this translation unit void __weak unxlate_dev_mem_ptr(phys_addr_t phys, void *addr) ^ static 1 warning and 1 error generated. -- In file included from drivers/char/random.c:335: In file included from include/linux/syscalls.h:87: In file included from include/trace/syscall.h:7: In file included from include/linux/trace_events.h:10: In file included from include/linux/perf_event.h:59: >> include/linux/security.h:1651:2: error: void function 'security_sctp_assoc_established' should not return a value [-Wreturn-type] return 0; ^ ~ >> drivers/char/random.c:1257:41: warning: shift count >= width of type [-Wshift-count-overflow] c_high = (sizeof(cycles) > 4) ? cycles >> 32 : 0; ^ ~~ drivers/char/random.c:1258:35: warning: shift count >= width of type [-Wshift-count-overflow] j_high = (sizeof(now) > 4) ? now >> 32 : 0; ^ ~~ drivers/char/random.c:2272:6: warning: no previous prototype for function 'add_hwgenerator_randomness' [-Wmissing-prototypes] void add_hwgenerator_randomness(const char *buffer, size_t count, ^ drivers/char/random.c:2272:1: note: declare 'static' if the function is not intended to be used outside of this translation unit void add_hwgenerator_randomness(const char *buffer, size_t count, ^ static 3 warnings and 1 error generated. -- In file included from fs/cifs/ioctl.c:16: In file included from fs/cifs/cifspdu.h:12: In file included from include/net/sock.h:46: In file included from include/linux/netdevice.h:45: In file included from include/uapi/linux/neighbour.h:6: In file included from include/linux/netlink.h:9: In file included from include/net/scm.h:8: >> include/linux/security.h:1651:2: error: void function 'security_sctp_assoc_established' should not return a value [-Wreturn-type] return 0; ^ ~ fs/cifs/ioctl.c:324:10: warning: variable 'caps' set but not used [-Wunused-but-set-variable] __u64 caps; ^ 1 warning and 1 error generated. -- In file included from fs/kernfs/file.c:19: In file included from fs/kernfs/kernfs-internal.h:20: In file included from include/linux/fs_context.h:14: >> include/linux/security.h:1651:2: error: void function 'security_sctp_assoc_established' should not return a value [-Wreturn-type] return 0; ^ ~ fs/kernfs/file.c:128:15: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] return NULL + !*ppos; ~~~~ ^ 1 warning and 1 error generated. vim +/security_sctp_assoc_established +1651 include/linux/security.h 1647 1648 static inline void security_sctp_assoc_established(struct sctp_association *asoc, 1649 struct sk_buff *skb) 1650 { > 1651 return 0; 1652 } 1653 #endif /* CONFIG_SECURITY_NETWORK */ 1654 --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Hi Xin,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on net/master]
url: https://github.com/0day-ci/linux/commits/Xin-Long/security-fixups-for-the-security-hooks-in-sctp/20211022-143827
base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git 397430b50a363d8b7bdda00522123f82df6adc5e
config: hexagon-randconfig-r041-20211025 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project a461fa64bb37cffd73f683c74f6b0780379fc2ca)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/32fba59611e67404b515f7864aa67a3abd2f7978
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Xin-Long/security-fixups-for-the-security-hooks-in-sctp/20211022-143827
git checkout 32fba59611e67404b515f7864aa67a3abd2f7978
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 ARCH=hexagon
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from drivers/gpu/drm/vgem/vgem_drv.c:36:
In file included from include/linux/shmem_fs.h:11:
In file included from include/linux/fs_parser.h:11:
In file included from include/linux/fs_context.h:14:
include/linux/security.h:1651:2: error: void function 'security_sctp_assoc_established' should not return a value [-Wreturn-type]
return 0;
^ ~
>> drivers/gpu/drm/vgem/vgem_drv.c:460:10: warning: shift count >= width of type [-Wshift-count-overflow]
DMA_BIT_MASK(64));
^~~~~~~~~~~~~~~~
include/linux/dma-mapping.h:76:54: note: expanded from macro 'DMA_BIT_MASK'
#define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
^ ~~~
1 warning and 1 error generated.
vim +460 drivers/gpu/drm/vgem/vgem_drv.c
502e95c6678505 Zach Reizner 2015-03-04 444
502e95c6678505 Zach Reizner 2015-03-04 445 static int __init vgem_init(void)
502e95c6678505 Zach Reizner 2015-03-04 446 {
502e95c6678505 Zach Reizner 2015-03-04 447 int ret;
bcc0ef7f57e51e Daniel Vetter 2020-09-09 448 struct platform_device *pdev;
502e95c6678505 Zach Reizner 2015-03-04 449
bcc0ef7f57e51e Daniel Vetter 2020-09-09 450 pdev = platform_device_register_simple("vgem", -1, NULL, 0);
bcc0ef7f57e51e Daniel Vetter 2020-09-09 451 if (IS_ERR(pdev))
bcc0ef7f57e51e Daniel Vetter 2020-09-09 452 return PTR_ERR(pdev);
e2aff44868ae60 Laura Abbott 2017-05-04 453
bcc0ef7f57e51e Daniel Vetter 2020-09-09 454 if (!devres_open_group(&pdev->dev, NULL, GFP_KERNEL)) {
bcc0ef7f57e51e Daniel Vetter 2020-09-09 455 ret = -ENOMEM;
bcc0ef7f57e51e Daniel Vetter 2020-09-09 456 goto out_unregister;
502e95c6678505 Zach Reizner 2015-03-04 457 }
502e95c6678505 Zach Reizner 2015-03-04 458
bcc0ef7f57e51e Daniel Vetter 2020-09-09 459 dma_coerce_mask_and_coherent(&pdev->dev,
e2aff44868ae60 Laura Abbott 2017-05-04 @460 DMA_BIT_MASK(64));
bcc0ef7f57e51e Daniel Vetter 2020-09-09 461
bcc0ef7f57e51e Daniel Vetter 2020-09-09 462 vgem_device = devm_drm_dev_alloc(&pdev->dev, &vgem_driver,
bcc0ef7f57e51e Daniel Vetter 2020-09-09 463 struct vgem_device, drm);
bcc0ef7f57e51e Daniel Vetter 2020-09-09 464 if (IS_ERR(vgem_device)) {
bcc0ef7f57e51e Daniel Vetter 2020-09-09 465 ret = PTR_ERR(vgem_device);
bcc0ef7f57e51e Daniel Vetter 2020-09-09 466 goto out_devres;
bcc0ef7f57e51e Daniel Vetter 2020-09-09 467 }
bcc0ef7f57e51e Daniel Vetter 2020-09-09 468 vgem_device->platform = pdev;
e2aff44868ae60 Laura Abbott 2017-05-04 469
315f0242aa2b1e Chris Wilson 2017-05-08 470 /* Final step: expose the device/driver to userspace */
315f0242aa2b1e Chris Wilson 2017-05-08 471 ret = drm_dev_register(&vgem_device->drm, 0);
502e95c6678505 Zach Reizner 2015-03-04 472 if (ret)
bcc0ef7f57e51e Daniel Vetter 2020-09-09 473 goto out_devres;
502e95c6678505 Zach Reizner 2015-03-04 474
502e95c6678505 Zach Reizner 2015-03-04 475 return 0;
502e95c6678505 Zach Reizner 2015-03-04 476
bcc0ef7f57e51e Daniel Vetter 2020-09-09 477 out_devres:
bcc0ef7f57e51e Daniel Vetter 2020-09-09 478 devres_release_group(&pdev->dev, NULL);
d5c04dff24870e Deepak Sharma 2018-10-23 479 out_unregister:
bcc0ef7f57e51e Daniel Vetter 2020-09-09 480 platform_device_unregister(pdev);
502e95c6678505 Zach Reizner 2015-03-04 481 return ret;
502e95c6678505 Zach Reizner 2015-03-04 482 }
502e95c6678505 Zach Reizner 2015-03-04 483
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
On Fri, Oct 22, 2021 at 8:36 AM Xin Long <lucien.xin@gmail.com> wrote: > > security_sctp_assoc_established() is added to replace > security_inet_conn_established() called in > sctp_sf_do_5_1E_ca(), so that asoc can be accessed in security > subsystem and save the peer secid to asoc->peer_secid. > > Fixes: 72e89f50084c ("security: Add support for SCTP security hooks") > Reported-by: Prashanth Prahlad <pprahlad@redhat.com> > Signed-off-by: Xin Long <lucien.xin@gmail.com> > --- > Documentation/security/SCTP.rst | 22 ++++++++++------------ > include/linux/lsm_hook_defs.h | 2 ++ > include/linux/lsm_hooks.h | 5 +++++ > include/linux/security.h | 8 ++++++++ > net/sctp/sm_statefuns.c | 2 +- > security/security.c | 7 +++++++ > 6 files changed, 33 insertions(+), 13 deletions(-) [...] > diff --git a/include/linux/security.h b/include/linux/security.h > index a16407444871..11cdddf9685c 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -1423,6 +1423,8 @@ int security_sctp_bind_connect(struct sock *sk, int optname, > struct sockaddr *address, int addrlen); > void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, > struct sock *newsk); > +void security_sctp_assoc_established(struct sctp_association *asoc, > + struct sk_buff *skb); > > #else /* CONFIG_SECURITY_NETWORK */ > static inline int security_unix_stream_connect(struct sock *sock, > @@ -1642,6 +1644,12 @@ static inline void security_sctp_sk_clone(struct sctp_association *asoc, > struct sock *newsk) > { > } > + > +static inline void security_sctp_assoc_established(struct sctp_association *asoc, > + struct sk_buff *skb) > +{ > + return 0; It has now been pointed out by the kernel robot as well, but you are returning a value from a function with return type void here. > +} > #endif /* CONFIG_SECURITY_NETWORK */ > > #ifdef CONFIG_SECURITY_INFINIBAND > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c > index b818532c3fc2..5fabaa54b77d 100644 > --- a/net/sctp/sm_statefuns.c > +++ b/net/sctp/sm_statefuns.c > @@ -946,7 +946,7 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, > sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); > > /* Set peer label for connection. */ > - security_inet_conn_established(ep->base.sk, chunk->skb); > + security_sctp_assoc_established((struct sctp_association *)asoc, chunk->skb); > > /* RFC 2960 5.1 Normal Establishment of an Association > * > diff --git a/security/security.c b/security/security.c > index b0f1c007aa3b..4b2b4b5beb27 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -2387,6 +2387,13 @@ void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, > } > EXPORT_SYMBOL(security_sctp_sk_clone); > > +void security_sctp_assoc_established(struct sctp_association *asoc, > + struct sk_buff *skb) > +{ > + call_void_hook(sctp_assoc_established, asoc, skb); > +} > +EXPORT_SYMBOL(security_sctp_assoc_established); > + > #endif /* CONFIG_SECURITY_NETWORK */ > > #ifdef CONFIG_SECURITY_INFINIBAND > -- > 2.27.0 > -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
diff --git a/Documentation/security/SCTP.rst b/Documentation/security/SCTP.rst index 9a38067762e5..3ebbcd80b3e7 100644 --- a/Documentation/security/SCTP.rst +++ b/Documentation/security/SCTP.rst @@ -15,10 +15,7 @@ For security module support, three SCTP specific hooks have been implemented:: security_sctp_assoc_request() security_sctp_bind_connect() security_sctp_sk_clone() - -Also the following security hook has been utilised:: - - security_inet_conn_established() + security_sctp_assoc_established() The usage of these hooks are described below with the SELinux implementation described in the `SCTP SELinux Support`_ chapter. @@ -122,11 +119,12 @@ calls **sctp_peeloff**\(3). @newsk - pointer to new sock structure. -security_inet_conn_established() +security_sctp_assoc_established() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Called when a COOKIE ACK is received:: +Called when a COOKIE ACK is received, and the peer secid will be +saved into ``@asoc->peer_secid`` for client:: - @sk - pointer to sock structure. + @asoc - pointer to sctp association structure. @skb - pointer to skbuff of the COOKIE ACK packet. @@ -134,7 +132,7 @@ Security Hooks used for Association Establishment ------------------------------------------------- The following diagram shows the use of ``security_sctp_bind_connect()``, -``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when +``security_sctp_assoc_request()``, ``security_sctp_assoc_established()`` when establishing an association. :: @@ -172,7 +170,7 @@ establishing an association. <------------------------------------------- COOKIE ACK | | sctp_sf_do_5_1E_ca | - Call security_inet_conn_established() | + Call security_sctp_assoc_established() | to set the peer label. | | | | If SCTP_SOCKET_TCP or peeled off @@ -198,7 +196,7 @@ hooks with the SELinux specifics expanded below:: security_sctp_assoc_request() security_sctp_bind_connect() security_sctp_sk_clone() - security_inet_conn_established() + security_sctp_assoc_established() security_sctp_assoc_request() @@ -271,12 +269,12 @@ sockets sid and peer sid to that contained in the ``@asoc sid`` and @newsk - pointer to new sock structure. -security_inet_conn_established() +security_sctp_assoc_established() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Called when a COOKIE ACK is received where it sets the connection's peer sid to that in ``@skb``:: - @sk - pointer to sock structure. + @asoc - pointer to sctp association structure. @skb - pointer to skbuff of the COOKIE ACK packet. diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 0024273a7382..e9870118cc67 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -334,6 +334,8 @@ LSM_HOOK(int, 0, sctp_bind_connect, struct sock *sk, int optname, struct sockaddr *address, int addrlen) LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_association *asoc, struct sock *sk, struct sock *newsk) +LSM_HOOK(void, LSM_RET_VOID, sctp_assoc_established, struct sctp_association *asoc, + struct sk_buff *skb) #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 240b92d89852..ba42c22204e2 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1047,6 +1047,11 @@ * @asoc pointer to current sctp association structure. * @sk pointer to current sock structure. * @newsk pointer to new sock structure. + * @sctp_assoc_established: + * Passes the @asoc and @chunk->skb of the association COOKIE_ACK packet + * to the security module. + * @asoc pointer to sctp association structure. + * @skb pointer to skbuff of association packet. * * Security hooks for Infiniband * diff --git a/include/linux/security.h b/include/linux/security.h index a16407444871..11cdddf9685c 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1423,6 +1423,8 @@ int security_sctp_bind_connect(struct sock *sk, int optname, struct sockaddr *address, int addrlen); void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, struct sock *newsk); +void security_sctp_assoc_established(struct sctp_association *asoc, + struct sk_buff *skb); #else /* CONFIG_SECURITY_NETWORK */ static inline int security_unix_stream_connect(struct sock *sock, @@ -1642,6 +1644,12 @@ static inline void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *newsk) { } + +static inline void security_sctp_assoc_established(struct sctp_association *asoc, + struct sk_buff *skb) +{ + return 0; +} #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index b818532c3fc2..5fabaa54b77d 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -946,7 +946,7 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); /* Set peer label for connection. */ - security_inet_conn_established(ep->base.sk, chunk->skb); + security_sctp_assoc_established((struct sctp_association *)asoc, chunk->skb); /* RFC 2960 5.1 Normal Establishment of an Association * diff --git a/security/security.c b/security/security.c index b0f1c007aa3b..4b2b4b5beb27 100644 --- a/security/security.c +++ b/security/security.c @@ -2387,6 +2387,13 @@ void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, } EXPORT_SYMBOL(security_sctp_sk_clone); +void security_sctp_assoc_established(struct sctp_association *asoc, + struct sk_buff *skb) +{ + call_void_hook(sctp_assoc_established, asoc, skb); +} +EXPORT_SYMBOL(security_sctp_assoc_established); + #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND
security_sctp_assoc_established() is added to replace security_inet_conn_established() called in sctp_sf_do_5_1E_ca(), so that asoc can be accessed in security subsystem and save the peer secid to asoc->peer_secid. Fixes: 72e89f50084c ("security: Add support for SCTP security hooks") Reported-by: Prashanth Prahlad <pprahlad@redhat.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> --- Documentation/security/SCTP.rst | 22 ++++++++++------------ include/linux/lsm_hook_defs.h | 2 ++ include/linux/lsm_hooks.h | 5 +++++ include/linux/security.h | 8 ++++++++ net/sctp/sm_statefuns.c | 2 +- security/security.c | 7 +++++++ 6 files changed, 33 insertions(+), 13 deletions(-)