From nobody Tue May 7 02:39:59 2024 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD9576FA0 for ; Mon, 19 Dec 2022 17:34:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1671471248; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Syjbob90eiNkz0Yg4P+B2NSN2XBsn+rBiv57VLcyy2E=; b=IZpK4fzOehGbnR4YhjwVUDqrWElJPSNJ9vL4i1SqNulAb0ccaQAlF1mukHyjvjPClf2G4a K2uWhNm3BoknFkJWX5WjAJjii/BuXSLTurmUPwlFe39aJ+hRSliT8UW72+eVvEP05cT9i6 82nWv1l0yuBpq4BrcjLHHeU/X7pHuV0= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-626-0RuYmFcrO2qsY_UYOjddiw-1; Mon, 19 Dec 2022 12:34:04 -0500 X-MC-Unique: 0RuYmFcrO2qsY_UYOjddiw-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 92DD91C0A580; Mon, 19 Dec 2022 17:34:04 +0000 (UTC) Received: from gerbillo.redhat.com (unknown [10.39.193.37]) by smtp.corp.redhat.com (Postfix) with ESMTP id 87CB12166B26; Mon, 19 Dec 2022 17:34:03 +0000 (UTC) From: Paolo Abeni To: linux-security-module@vger.kernel.org Cc: Paul Moore , selinux@vger.kernel.org, mptcp@lists.linux.dev Subject: [PATCH v2 1/2] security, lsm: Introduce security_mptcp_add_subflow() Date: Mon, 19 Dec 2022 18:33:48 +0100 Message-Id: In-Reply-To: References: Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 Content-Type: text/plain; charset="utf-8" MPTCP can create subflows in kernel context, and later indirectly expose them to user-space, via the owning mptcp socket. As discussed in the reported link, the above causes unexpected failures for server, MPTCP-enabled applications. Let's introduce a new LSM hook to allow the security module to relabel the subflow according to the owing process. Note that the new hook requires both the mptcp socket and the new subflow. This could allow future extensions, e.g. explicitly validating the mptcp <-> subflow linkage. Link: https://lore.kernel.org/mptcp/CAHC9VhTNh-YwiyTds=3DP1e3rixEDqbRTFj22b= pya=3D+qJqfcaMfg@mail.gmail.com/ Signed-off-by: Paolo Abeni Acked-by: Mat Martineau --- v1 -> v2: - fix build issue with !CONFIG_SECURITY_NETWORK --- include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 9 +++++++++ include/linux/security.h | 6 ++++++ net/mptcp/subflow.c | 6 ++++++ security/security.c | 5 +++++ 5 files changed, 27 insertions(+) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index ed6cb2ac55fa..860e11e3a26b 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -343,6 +343,7 @@ LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp= _association *asoc, struct sock *sk, struct sock *newsk) LSM_HOOK(int, 0, sctp_assoc_established, struct sctp_association *asoc, struct sk_buff *skb) +LSM_HOOK(int, 0, mptcp_add_subflow, struct sock *sk, struct sock *ssk) #endif /* CONFIG_SECURITY_NETWORK */ =20 #ifdef CONFIG_SECURITY_INFINIBAND diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 0a5ba81f7367..84c9c4d4341e 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1096,6 +1096,15 @@ * @skb pointer to skbuff of association packet. * Return 0 if permission is granted. * + * Security hooks for MPTCP + * + * @mptcp_add_subflow + * Update the labeling for the given MPTCP subflow, to match to + * owning MPTCP socket. + * @sk: the owning MPTCP socket + * @ssk: the new subflow + * Return 0 if successful, otherwise < 0 error code. + * * Security hooks for Infiniband * * @ib_pkey_access: diff --git a/include/linux/security.h b/include/linux/security.h index 5b67f208f7de..82d50b2ba683 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1479,6 +1479,7 @@ void security_sctp_sk_clone(struct sctp_association *= asoc, struct sock *sk, struct sock *newsk); int security_sctp_assoc_established(struct sctp_association *asoc, struct sk_buff *skb); +int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk); =20 #else /* CONFIG_SECURITY_NETWORK */ static inline int security_unix_stream_connect(struct sock *sock, @@ -1706,6 +1707,11 @@ static inline int security_sctp_assoc_established(st= ruct sctp_association *asoc, { return 0; } + +static inline int security_mptcp_add_subflow(struct sock *sk, struct sock = *ssk) +{ + return 0; +} #endif /* CONFIG_SECURITY_NETWORK */ =20 #ifdef CONFIG_SECURITY_INFINIBAND diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index bd387d4b5a38..43b90784d914 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -1680,6 +1680,10 @@ int mptcp_subflow_create_socket(struct sock *sk, str= uct socket **new_sock) =20 lock_sock(sf->sk); =20 + err =3D security_mptcp_add_subflow(sk, sf->sk); + if (err) + goto release_ssk; + /* the newly created socket has to be in the same cgroup as its parent */ mptcp_attach_cgroup(sk, sf->sk); =20 @@ -1692,6 +1696,8 @@ int mptcp_subflow_create_socket(struct sock *sk, stru= ct socket **new_sock) get_net_track(net, &sf->sk->ns_tracker, GFP_KERNEL); sock_inuse_add(net, 1); err =3D tcp_set_ulp(sf->sk, "mptcp"); + +release_ssk: release_sock(sf->sk); =20 if (err) { diff --git a/security/security.c b/security/security.c index d1571900a8c7..3491a4fc2b1f 100644 --- a/security/security.c +++ b/security/security.c @@ -2493,6 +2493,11 @@ int security_sctp_assoc_established(struct sctp_asso= ciation *asoc, } EXPORT_SYMBOL(security_sctp_assoc_established); =20 +int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) +{ + return call_int_hook(mptcp_add_subflow, 0, sk, ssk); +} + #endif /* CONFIG_SECURITY_NETWORK */ =20 #ifdef CONFIG_SECURITY_INFINIBAND --=20 2.38.1 From nobody Tue May 7 02:39:59 2024 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2CE2C6D24 for ; Mon, 19 Dec 2022 17:34:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1671471250; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Mge2WhqWFyM9HhE8E4llCSfJEuyu5fUhFFg1FKTv2b0=; b=IOBsAaScuoBLHVLJzOAzG5c6n+zJhNxuK/VgRBqufJkfRjx/nC/b+VSygM9x5/jAb4fHI7 An9oYn8s6LbBW+kiuZoDcf4t9auQfEYLxtEfbUyHNQ7IJYvoZcThQRbOxPDQND6ly1DiQn kCQXkUna4IL6uKBOpgl0pcjPBtsw6Gk= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-590-RwNk93g1NoyypRfJLiLUAg-1; Mon, 19 Dec 2022 12:34:06 -0500 X-MC-Unique: RwNk93g1NoyypRfJLiLUAg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EA3251802D50; Mon, 19 Dec 2022 17:34:05 +0000 (UTC) Received: from gerbillo.redhat.com (unknown [10.39.193.37]) by smtp.corp.redhat.com (Postfix) with ESMTP id E4D5D2166B26; Mon, 19 Dec 2022 17:34:04 +0000 (UTC) From: Paolo Abeni To: linux-security-module@vger.kernel.org Cc: Paul Moore , selinux@vger.kernel.org, mptcp@lists.linux.dev Subject: [PATCH v2 2/2] selinux: Implement mptcp_add_subflow hook Date: Mon, 19 Dec 2022 18:33:49 +0100 Message-Id: <3074022fdca04676443a9c74f57328eb729f150e.1671469167.git.pabeni@redhat.com> In-Reply-To: References: Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 Content-Type: text/plain; charset="utf-8" Newly added subflows should inherit the associated label from the current process context, regarless of the sk_kern_sock flag value. This patch implements the above resetting the subflow sid, deleting the existing subflow label, if any, and then re-creating a new one. The new helper reuses the selinux_netlbl_sk_security_free() function, and it can end-up being called multiple times with the same argument; we additionally need to make it idempotent. Signed-off-by: Paolo Abeni --- v1 -> v2: - fix build issue with !CONFIG_NETLABEL --- security/selinux/hooks.c | 27 +++++++++++++++++++++++++++ security/selinux/netlabel.c | 4 +++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3c5be76a9199..f785600b666a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5476,6 +5476,32 @@ static void selinux_sctp_sk_clone(struct sctp_associ= ation *asoc, struct sock *sk selinux_netlbl_sctp_sk_clone(sk, newsk); } =20 +static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) +{ + const struct task_security_struct *tsec =3D selinux_cred(current_cred()); + struct sk_security_struct *ssksec =3D ssk->sk_security; + u16 sclass; + u32 sid; + int err; + + /* create the sid using the current cred, regardless of the ssk kern + * flag + */ + sclass =3D socket_type_to_security_class(ssk->sk_family, ssk->sk_type, + ssk->sk_protocol); + err =3D socket_sockcreate_sid(tsec, sclass, &sid); + if (err) + return err; + + ssksec->sid =3D sid; + + /* replace the existing subflow label deleting the existing one + * and re-recrating a new label using the current context + */ + selinux_netlbl_sk_security_free(ssksec); + return selinux_netlbl_socket_post_create(ssk, ssk->sk_family); +} + static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff= *skb, struct request_sock *req) { @@ -7216,6 +7242,7 @@ static struct security_hook_list selinux_hooks[] __ls= m_ro_after_init =3D { LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established), + LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow), LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 1321f15799e2..8e0080b8a8ef 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -155,8 +155,10 @@ void selinux_netlbl_err(struct sk_buff *skb, u16 famil= y, int error, int gateway) */ void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec) { - if (sksec->nlbl_secattr !=3D NULL) + if (sksec->nlbl_secattr !=3D NULL) { netlbl_secattr_free(sksec->nlbl_secattr); + sksec->nlbl_secattr =3D NULL; + } } =20 /** --=20 2.38.1