diff mbox series

[2/2] selinux: Implement mptcp_add_subflow hook

Message ID d6f04d238c8a797899d6cb543a43f75e544221af.1671054577.git.pabeni@redhat.com (mailing list archive)
State Changes Requested
Delegated to: Paul Moore
Headers show
Series lsm: introduce and use security_mptcp_add_subflow() | expand

Commit Message

Paolo Abeni Dec. 14, 2022, 10:01 p.m. UTC
Newly added subflows should inherit the associated label
from the current process context, regarless of the sk_kern_sock
flag value.

This patch implements the above resetting the subflow sid, deleting
the existing subflow label, if any, and then re-creating a new one.

Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
 security/selinux/hooks.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

Comments

kernel test robot Dec. 15, 2022, 2:59 a.m. UTC | #1
Hi Paolo,

I love your patch! Yet something to improve:

[auto build test ERROR on linus/master]
[also build test ERROR on v6.1 next-20221214]
[cannot apply to pcmoore-selinux/next pcmoore-audit/next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Paolo-Abeni/lsm-introduce-and-use-security_mptcp_add_subflow/20221215-060410
patch link:    https://lore.kernel.org/r/d6f04d238c8a797899d6cb543a43f75e544221af.1671054577.git.pabeni%40redhat.com
patch subject: [PATCH 2/2] selinux: Implement mptcp_add_subflow hook
config: s390-defconfig
compiler: s390-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/b7b7443e4d94a98247ba4ce5a0df1e6417f8d147
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Paolo-Abeni/lsm-introduce-and-use-security_mptcp_add_subflow/20221215-060410
        git checkout b7b7443e4d94a98247ba4ce5a0df1e6417f8d147
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=s390 SHELL=/bin/bash

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   security/selinux/hooks.c: In function 'selinux_mptcp_add_subflow':
>> security/selinux/hooks.c:5501:19: error: 'struct sk_security_struct' has no member named 'nlbl_secattr'
    5501 |         if (ssksec->nlbl_secattr != NULL) {
         |                   ^~
   security/selinux/hooks.c:5502:43: error: 'struct sk_security_struct' has no member named 'nlbl_secattr'
    5502 |                 netlbl_secattr_free(ssksec->nlbl_secattr);
         |                                           ^~
   security/selinux/hooks.c:5503:23: error: 'struct sk_security_struct' has no member named 'nlbl_secattr'
    5503 |                 ssksec->nlbl_secattr = NULL;
         |                       ^~


vim +5501 security/selinux/hooks.c

  5478	
  5479	static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
  5480	{
  5481		const struct task_security_struct *tsec = selinux_cred(current_cred());
  5482		struct sk_security_struct *ssksec = ssk->sk_security;
  5483		u16 sclass;
  5484		u32 sid;
  5485		int err;
  5486	
  5487		/* create the sid using the current cred, regardless of the ssk kern
  5488		 * flag
  5489		 */
  5490		sclass = socket_type_to_security_class(ssk->sk_family, ssk->sk_type,
  5491						       ssk->sk_protocol);
  5492		err = socket_sockcreate_sid(tsec, sclass, &sid);
  5493		if (err)
  5494			return err;
  5495	
  5496		ssksec->sid = sid;
  5497	
  5498		/* replace the existing subflow label with the new one
  5499		 * inherited from the mptcp socket
  5500		 */
> 5501		if (ssksec->nlbl_secattr != NULL) {
  5502			netlbl_secattr_free(ssksec->nlbl_secattr);
  5503			ssksec->nlbl_secattr = NULL;
  5504		}
  5505		return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
  5506	}
  5507
diff mbox series

Patch

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3c5be76a9199..cbb4c711c502 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5476,6 +5476,35 @@  static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk
 	selinux_netlbl_sctp_sk_clone(sk, newsk);
 }
 
+static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
+{
+	const struct task_security_struct *tsec = selinux_cred(current_cred());
+	struct sk_security_struct *ssksec = ssk->sk_security;
+	u16 sclass;
+	u32 sid;
+	int err;
+
+	/* create the sid using the current cred, regardless of the ssk kern
+	 * flag
+	 */
+	sclass = socket_type_to_security_class(ssk->sk_family, ssk->sk_type,
+					       ssk->sk_protocol);
+	err = socket_sockcreate_sid(tsec, sclass, &sid);
+	if (err)
+		return err;
+
+	ssksec->sid = sid;
+
+	/* replace the existing subflow label with the new one
+	 * inherited from the mptcp socket
+	 */
+	if (ssksec->nlbl_secattr != NULL) {
+		netlbl_secattr_free(ssksec->nlbl_secattr);
+		ssksec->nlbl_secattr = NULL;
+	}
+	return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
+}
+
 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
 				     struct request_sock *req)
 {
@@ -7216,6 +7245,7 @@  static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
 	LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
+	LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),