From patchwork Tue May 8 14:05:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Kodanev X-Patchwork-Id: 10386201 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5A63860236 for ; Tue, 8 May 2018 13:58:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 351AD28DF8 for ; Tue, 8 May 2018 13:58:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3FFCC28E2E; Tue, 8 May 2018 13:58:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C753228DA3 for ; Tue, 8 May 2018 13:56:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752563AbeEHN4a (ORCPT ); Tue, 8 May 2018 09:56:30 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:54024 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752497AbeEHN4a (ORCPT ); Tue, 8 May 2018 09:56:30 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w48Du5nN151261; Tue, 8 May 2018 13:56:20 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id; s=corp-2017-10-26; bh=IoafUMjp8pgB1GzrG5NJXnJLwBo+r1aqa38WInR3In8=; b=nbvL6aQ3T6qaQkMgcghtlDWQ5EW1S0fzhLkjrOuhLYcE3jFs95SD3aCZKdLZtPqzOjEK u6kcmG70Xqtwsm2+e5Vrq6d4tn2eTBuYKW7CJZowAMwg4DDqYQfh1IhK/lLSfrG4bs6z MW+fO9nPYVHbBbdsU4fqPGotgdDjkcTf61zupqijh1Zwr8fvJGAQ3we6SdTKkpa7gvOm Pxk7mHuI8H+uZhs+0TKX17Vi2mnMTD5gdkuPLzMbnA2lhdjV4JPrPgbn0Z8jkJ2TwQAO zhvfse/XbK5Z00zdqmzNTi+s1+BbgWNq0SunXt353tDKFTaodapBwlZJJmn/xaTnjA+x yg== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp2120.oracle.com with ESMTP id 2hs4k28pmv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 08 May 2018 13:56:20 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w48DuJ0M017670 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 May 2018 13:56:19 GMT Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w48DuHx0025598; Tue, 8 May 2018 13:56:18 GMT Received: from ak.ru.oracle.com (/10.162.80.29) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 08 May 2018 06:56:17 -0700 From: Alexey Kodanev To: selinux@tycho.nsa.gov Cc: Richard Haines , Paul Moore , Stephen Smalley , Eric Paris , linux-security-module@vger.kernel.org, netdev , Alexey Kodanev Subject: [PATCH] selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind() Date: Tue, 8 May 2018 17:05:03 +0300 Message-Id: <1525788303-23244-1-git-send-email-alexey.kodanev@oracle.com> X-Mailer: git-send-email 1.7.1 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8886 signatures=668698 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=13 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805080135 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Commit d452930fd3b9 ("selinux: Add SCTP support") breaks compatibility with the old programs that can pass sockaddr_in with AF_UNSPEC and INADDR_ANY to bind(). As a result, bind() returns EAFNOSUPPORT error. It was found with LTP/asapi_01 test. Similar to commit 29c486df6a20 ("net: ipv4: relax AF_INET check in bind()"), which relaxed AF_INET check for compatibility, add AF_UNSPEC case to AF_INET and make sure that the address is INADDR_ANY. Also, in the end of selinux_socket_bind(), instead of adding AF_UNSPEC to 'address->sa_family == AF_INET', verify AF_INET6 first. Fixes: d452930fd3b9 ("selinux: Add SCTP support") Signed-off-by: Alexey Kodanev --- security/selinux/hooks.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4cafe6a..649a3be 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4602,10 +4602,16 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. */ switch (address->sa_family) { + case AF_UNSPEC: case AF_INET: if (addrlen < sizeof(struct sockaddr_in)) return -EINVAL; addr4 = (struct sockaddr_in *)address; + + if (address->sa_family == AF_UNSPEC && + addr4->sin_addr.s_addr != htonl(INADDR_ANY)) + return -EAFNOSUPPORT; + snum = ntohs(addr4->sin_port); addrp = (char *)&addr4->sin_addr.s_addr; break; @@ -4681,10 +4687,10 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in ad.u.net->sport = htons(snum); ad.u.net->family = family; - if (address->sa_family == AF_INET) - ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; - else + if (address->sa_family == AF_INET6) ad.u.net->v6info.saddr = addr6->sin6_addr; + else + ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; err = avc_has_perm(&selinux_state, sksec->sid, sid,