From nobody Mon Jun 29 08:55:52 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA88BC433F5 for ; Sat, 12 Feb 2022 17:59:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231192AbiBLR7i (ORCPT ); Sat, 12 Feb 2022 12:59:38 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:37868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230154AbiBLR7d (ORCPT ); Sat, 12 Feb 2022 12:59:33 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 980FC2FFD4 for ; Sat, 12 Feb 2022 09:59:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1644688768; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CI5DWcgVgXaBLSoxyZxDnI72khnbfvnjog5cb0lN2+E=; b=IdI/ozPCqcQoGZQHexxd238q3ZdrRjK/OWAzco0MLhzhtN6o+ZHFQJI7AEwewOkmsFS5xn 82lqS/ZsTe9QsXcd4qAsbHISs1c2AkkiiQX2o5iqv1cLJ5SJC/m2kiKO1OHlaeUEUYm/pf 2VKe3lcxvanP7zrLCcGNX7nTl1v1eOE= Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-321-E-P6NQDxORin-l0H-Bdb9w-1; Sat, 12 Feb 2022 12:59:27 -0500 X-MC-Unique: E-P6NQDxORin-l0H-Bdb9w-1 Received: by mail-ed1-f69.google.com with SMTP id l14-20020aa7cace000000b003f7f8e1cbbdso7404003edt.20 for ; Sat, 12 Feb 2022 09:59:27 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=CI5DWcgVgXaBLSoxyZxDnI72khnbfvnjog5cb0lN2+E=; b=45Edz0u2WLk0mSu/u/bx1aOq3/aPCnd8jrU1KPO6RoEfCYiq1glaKg8MVR27kHcsii gwsMvVIazD8RPBX9SlZnjsjkNgCRQAPsKg7mC4UzYJXI2TwwjxeN+llZns12ja5UogZm wDZAttWLCy3V6oqXrHCmc/aYaPwEprMdFWZazhL/0JWLwEzy+SAl3sfI3l+grtqFD/jZ 6g7klL6TDhzmGI+93PY+ls9ZKyo1fzh4BMyRgaika4g8vxS2JTUnEEiYyQw7HBckp5Rj QLYnt1+4L7+RS0IbWjxxmatMWuYvO2MDfxHvXc3E7Xy1/kGF16oYEmVF+VkERGNO0LHc el8Q== X-Gm-Message-State: AOAM533/P/gdqEIiRNFFCNkuOxxv/8MxOm66/wX+YPpUrSxVD17NFAVe gh88f4ZAh4V/y1ynTBR77tIBC/RlCyN/csYn6F3pmEg8qhVEqdtB0b+FHeZoWb7JEL+qDqGviCP H1LnV5v2VdwmfOAZ16qT39/4t X-Received: by 2002:aa7:ccd3:: with SMTP id y19mr4534392edt.390.1644688766222; Sat, 12 Feb 2022 09:59:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJzvuw6Om31pBIP7clC++J760LvFX06IDLOmBcntLIHzGLV3OH4CIY72Tq3NdhpaVsjrIfHJWw== X-Received: by 2002:aa7:ccd3:: with SMTP id y19mr4534374edt.390.1644688766046; Sat, 12 Feb 2022 09:59:26 -0800 (PST) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id d10sm437409ejo.207.2022.02.12.09.59.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 12 Feb 2022 09:59:25 -0800 (PST) From: Ondrej Mosnacek To: netdev@vger.kernel.org, davem@davemloft.net, kuba@kernel.org, selinux@vger.kernel.org, Paul Moore Cc: Xin Long , Richard Haines , Vlad Yasevich , Neil Horman , Marcelo Ricardo Leitner , linux-sctp@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Prashanth Prahlad Subject: [PATCH net v3 1/2] security: add sctp_assoc_established hook Date: Sat, 12 Feb 2022 18:59:21 +0100 Message-Id: <20220212175922.665442-2-omosnace@redhat.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220212175922.665442-1-omosnace@redhat.com> References: <20220212175922.665442-1-omosnace@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" security_sctp_assoc_established() is added to replace security_inet_conn_established() called in sctp_sf_do_5_1E_ca(), so that asoc can be accessed in security subsystem and save the peer secid to asoc->peer_secid. Fixes: 72e89f50084c ("security: Add support for SCTP security hooks") Reported-by: Prashanth Prahlad Based-on-patch-by: Xin Long Signed-off-by: Ondrej Mosnacek Reviewed-by: Xin Long Tested-by: Richard Haines --- Documentation/security/SCTP.rst | 22 ++++++++++------------ include/linux/lsm_hook_defs.h | 2 ++ include/linux/lsm_hooks.h | 5 +++++ include/linux/security.h | 8 ++++++++ net/sctp/sm_statefuns.c | 8 +++++--- security/security.c | 7 +++++++ 6 files changed, 37 insertions(+), 15 deletions(-) diff --git a/Documentation/security/SCTP.rst b/Documentation/security/SCTP.= rst index d5fd6ccc3dcb..406cc68b8808 100644 --- a/Documentation/security/SCTP.rst +++ b/Documentation/security/SCTP.rst @@ -15,10 +15,7 @@ For security module support, three SCTP specific hooks h= ave been implemented:: security_sctp_assoc_request() security_sctp_bind_connect() security_sctp_sk_clone() - -Also the following security hook has been utilised:: - - security_inet_conn_established() + security_sctp_assoc_established() =20 The usage of these hooks are described below with the SELinux implementati= on described in the `SCTP SELinux Support`_ chapter. @@ -122,11 +119,12 @@ calls **sctp_peeloff**\(3). @newsk - pointer to new sock structure. =20 =20 -security_inet_conn_established() +security_sctp_assoc_established() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Called when a COOKIE ACK is received:: +Called when a COOKIE ACK is received, and the peer secid will be +saved into ``@asoc->peer_secid`` for client:: =20 - @sk - pointer to sock structure. + @asoc - pointer to sctp association structure. @skb - pointer to skbuff of the COOKIE ACK packet. =20 =20 @@ -134,7 +132,7 @@ Security Hooks used for Association Establishment ------------------------------------------------- =20 The following diagram shows the use of ``security_sctp_bind_connect()``, -``security_sctp_assoc_request()``, ``security_inet_conn_established()`` wh= en +``security_sctp_assoc_request()``, ``security_sctp_assoc_established()`` w= hen establishing an association. :: =20 @@ -172,7 +170,7 @@ establishing an association. <------------------------------------------- COOKIE ACK | | sctp_sf_do_5_1E_ca | - Call security_inet_conn_established() | + Call security_sctp_assoc_established() | to set the peer label. | | | | If SCTP_SOCKET_TCP or peeled off @@ -198,7 +196,7 @@ hooks with the SELinux specifics expanded below:: security_sctp_assoc_request() security_sctp_bind_connect() security_sctp_sk_clone() - security_inet_conn_established() + security_sctp_assoc_established() =20 =20 security_sctp_assoc_request() @@ -271,12 +269,12 @@ sockets sid and peer sid to that contained in the ``@= asoc sid`` and @newsk - pointer to new sock structure. =20 =20 -security_inet_conn_established() +security_sctp_assoc_established() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Called when a COOKIE ACK is received where it sets the connection's peer s= id to that in ``@skb``:: =20 - @sk - pointer to sock structure. + @asoc - pointer to sctp association structure. @skb - pointer to skbuff of the COOKIE ACK packet. =20 =20 diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index a5a724c308d8..45931d81ccc3 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -332,6 +332,8 @@ LSM_HOOK(int, 0, sctp_bind_connect, struct sock *sk, in= t optname, struct sockaddr *address, int addrlen) LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_association *asoc, struct sock *sk, struct sock *newsk) +LSM_HOOK(int, 0, sctp_assoc_established, struct sctp_association *asoc, + struct sk_buff *skb) #endif /* CONFIG_SECURITY_NETWORK */ =20 #ifdef CONFIG_SECURITY_INFINIBAND diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 3bf5c658bc44..419b5febc3ca 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1046,6 +1046,11 @@ * @asoc pointer to current sctp association structure. * @sk pointer to current sock structure. * @newsk pointer to new sock structure. + * @sctp_assoc_established: + * Passes the @asoc and @chunk->skb of the association COOKIE_ACK packet + * to the security module. + * @asoc pointer to sctp association structure. + * @skb pointer to skbuff of association packet. * * Security hooks for Infiniband * diff --git a/include/linux/security.h b/include/linux/security.h index 6d72772182c8..25b3ef71f495 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1422,6 +1422,8 @@ int security_sctp_bind_connect(struct sock *sk, int o= ptname, struct sockaddr *address, int addrlen); void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, struct sock *newsk); +int security_sctp_assoc_established(struct sctp_association *asoc, + struct sk_buff *skb); =20 #else /* CONFIG_SECURITY_NETWORK */ static inline int security_unix_stream_connect(struct sock *sock, @@ -1641,6 +1643,12 @@ static inline void security_sctp_sk_clone(struct sct= p_association *asoc, struct sock *newsk) { } + +static inline int security_sctp_assoc_established(struct sctp_association = *asoc, + struct sk_buff *skb) +{ + return 0; +} #endif /* CONFIG_SECURITY_NETWORK */ =20 #ifdef CONFIG_SECURITY_INFINIBAND diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index cc544a97c4af..7f342bc12735 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -930,6 +930,11 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *n= et, if (!sctp_vtag_verify(chunk, asoc)) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); =20 + /* Set peer label for connection. */ + if (security_sctp_assoc_established((struct sctp_association *)asoc, + chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Verify that the chunk length for the COOKIE-ACK is OK. * If we don't do this, any bundled chunks may be junked. */ @@ -945,9 +950,6 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *ne= t, */ sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); =20 - /* Set peer label for connection. */ - security_inet_conn_established(ep->base.sk, chunk->skb); - /* RFC 2960 5.1 Normal Establishment of an Association * * E) Upon reception of the COOKIE ACK, endpoint "A" will move diff --git a/security/security.c b/security/security.c index e649c8691be2..9663ffcca4b0 100644 --- a/security/security.c +++ b/security/security.c @@ -2393,6 +2393,13 @@ void security_sctp_sk_clone(struct sctp_association = *asoc, struct sock *sk, } EXPORT_SYMBOL(security_sctp_sk_clone); =20 +int security_sctp_assoc_established(struct sctp_association *asoc, + struct sk_buff *skb) +{ + return call_int_hook(sctp_assoc_established, 0, asoc, skb); +} +EXPORT_SYMBOL(security_sctp_assoc_established); + #endif /* CONFIG_SECURITY_NETWORK */ =20 #ifdef CONFIG_SECURITY_INFINIBAND --=20 2.34.1 From nobody Mon Jun 29 08:55:52 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BDF95C433FE for ; Sat, 12 Feb 2022 17:59:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230484AbiBLR7l (ORCPT ); Sat, 12 Feb 2022 12:59:41 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:37906 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230183AbiBLR7f (ORCPT ); Sat, 12 Feb 2022 12:59:35 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1A8CE2E0A6 for ; Sat, 12 Feb 2022 09:59:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1644688770; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K5RblU/muR32surpJb7XXaw9mmDJULWUJNTXUxoEyEQ=; b=KiVjzx6/7IqPjB8zZD00Y8GlXUCp2XlPxFS6G12H1uU3WabNyjRA6jBV+Y45JcV5rXu9K9 HlLylWn8WiMLcLlVZbMBzEJZQq79lcBMBY2jA2l5GgA/4FZU6nyQQEvM0QGF/sy4X9Xbta kJ39Sh8LcFxsKZ322wMRyZTN9lDW2II= Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-155-xdJHkzsuMLqj1FjZaBqbWA-1; Sat, 12 Feb 2022 12:59:29 -0500 X-MC-Unique: xdJHkzsuMLqj1FjZaBqbWA-1 Received: by mail-ed1-f69.google.com with SMTP id j10-20020a05640211ca00b004090fd8a936so2787997edw.23 for ; Sat, 12 Feb 2022 09:59:28 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=K5RblU/muR32surpJb7XXaw9mmDJULWUJNTXUxoEyEQ=; b=GqHmMH0NdDv13qsJRZb/DV6GjJjrrbnDhWkwuA1kLdccWvEpPulMZdmYtCPmtJjt1e vBi84ZkcSv6E61WTzYgAnGxAexnxlmWwaHxxnlWnT0k4wkhjhEsL3WLRiySKpzIkZO3N 0Bs4niagsVBgFeKzCinu525r0nDacBatF2Z3zhdkxuCW+c++sW+ZDijuDmfsQ+nIBDGK +5DiLDuAi/P1KOM406r9Xsbjdfbum3URTZvi2Z/Jv+yJ1f1ELQLGw+HzkkKaZ03uQgvX bqkX/91CC2+p+WP+oa84mp6me7XdNykCmil0nru4hKQ6Yf8wVwp2ZcbatADRHax7R0Z8 ld8w== X-Gm-Message-State: AOAM531EhABoKZ25PGljWfafOk6eNBUOAc481GG4ak6a72gpWpnyxsS4 w8HIougVJEvEjkr6YZ+Xo1T/FAmGUGJQJHxV+XfyJ6V9fg5e1J0bbGoAUAwwgUgtWX8WcjXthvY 8kIHlF2DJXYQUy4utUb9s7Dap X-Received: by 2002:a17:906:72c2:: with SMTP id m2mr5408240ejl.185.1644688767798; Sat, 12 Feb 2022 09:59:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJw57ju00rK6w8JCy1wMU6yq5Btl/VLmazdQ5/+qt78JXBu42hrVcdWMZg3J3gwh0E78L3tBpA== X-Received: by 2002:a17:906:72c2:: with SMTP id m2mr5408220ejl.185.1644688767482; Sat, 12 Feb 2022 09:59:27 -0800 (PST) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id d10sm437409ejo.207.2022.02.12.09.59.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 12 Feb 2022 09:59:27 -0800 (PST) From: Ondrej Mosnacek To: netdev@vger.kernel.org, davem@davemloft.net, kuba@kernel.org, selinux@vger.kernel.org, Paul Moore Cc: Xin Long , Richard Haines , Vlad Yasevich , Neil Horman , Marcelo Ricardo Leitner , linux-sctp@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Prashanth Prahlad Subject: [PATCH net v3 2/2] security: implement sctp_assoc_established hook in selinux Date: Sat, 12 Feb 2022 18:59:22 +0100 Message-Id: <20220212175922.665442-3-omosnace@redhat.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220212175922.665442-1-omosnace@redhat.com> References: <20220212175922.665442-1-omosnace@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Do this by extracting the peer labeling per-association logic from selinux_sctp_assoc_request() into a new helper selinux_sctp_process_new_assoc() and use this helper in both selinux_sctp_assoc_request() and selinux_sctp_assoc_established(). This ensures that the peer labeling behavior as documented in Documentation/security/SCTP.rst is applied both on the client and server side: """ An SCTP socket will only have one peer label assigned to it. This will be assigned during the establishment of the first association. Any further associations on this socket will have their packet peer label compared to the sockets peer label, and only if they are different will the ``association`` permission be validated. This is validated by checking the socket peer sid against the received packets peer sid to determine whether the association should be allowed or denied. """ At the same time, it also ensures that the peer label of the association is set to the correct value, such that if it is peeled off into a new socket, the socket's peer label will then be set to the association's peer label, same as it already works on the server side. While selinux_inet_conn_established() (which we are replacing by selinux_sctp_assoc_established() for SCTP) only deals with assigning a peer label to the connection (socket), in case of SCTP we need to also copy the (local) socket label to the association, so that selinux_sctp_sk_clone() can then pick it up for the new socket in case of SCTP peeloff. Careful readers will notice that the selinux_sctp_process_new_assoc() helper also includes the "IPv4 packet received over an IPv6 socket" check, even though it hadn't been in selinux_sctp_assoc_request() before. While such check is not necessary in selinux_inet_conn_request() (because struct request_sock's family field is already set according to the skb's family), here it is needed, as we don't have request_sock and we take the initial family from the socket. In selinux_sctp_assoc_established() it is similarly needed as well (and also selinux_inet_conn_established() already has it). Fixes: 72e89f50084c ("security: Add support for SCTP security hooks") Reported-by: Prashanth Prahlad Based-on-patch-by: Xin Long Signed-off-by: Ondrej Mosnacek Reviewed-by: Xin Long Tested-by: Richard Haines --- security/selinux/hooks.c | 90 +++++++++++++++++++++++++++++----------- 1 file changed, 66 insertions(+), 24 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ab32303e6618..dafabb4dcc64 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5238,37 +5238,38 @@ static void selinux_sock_graft(struct sock *sk, str= uct socket *parent) sksec->sclass =3D isec->sclass; } =20 -/* Called whenever SCTP receives an INIT chunk. This happens when an incom= ing - * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association - * already present). +/* + * Determines peer_secid for the asoc and updates socket's peer label + * if it's the first association on the socket. */ -static int selinux_sctp_assoc_request(struct sctp_association *asoc, - struct sk_buff *skb) +static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, + struct sk_buff *skb) { - struct sk_security_struct *sksec =3D asoc->base.sk->sk_security; + struct sock *sk =3D asoc->base.sk; + u16 family =3D sk->sk_family; + struct sk_security_struct *sksec =3D sk->sk_security; struct common_audit_data ad; struct lsm_network_audit net =3D {0,}; - u8 peerlbl_active; - u32 peer_sid =3D SECINITSID_UNLABELED; - u32 conn_sid; - int err =3D 0; + int err; =20 - if (!selinux_policycap_extsockclass()) - return 0; + /* handle mapped IPv4 packets arriving via IPv6 sockets */ + if (family =3D=3D PF_INET6 && skb->protocol =3D=3D htons(ETH_P_IP)) + family =3D PF_INET; =20 - peerlbl_active =3D selinux_peerlbl_enabled(); + if (selinux_peerlbl_enabled()) { + asoc->peer_secid =3D SECSID_NULL; =20 - if (peerlbl_active) { /* This will return peer_sid =3D SECSID_NULL if there are * no peer labels, see security_net_peersid_resolve(). */ - err =3D selinux_skb_peerlbl_sid(skb, asoc->base.sk->sk_family, - &peer_sid); + err =3D selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid); if (err) return err; =20 - if (peer_sid =3D=3D SECSID_NULL) - peer_sid =3D SECINITSID_UNLABELED; + if (asoc->peer_secid =3D=3D SECSID_NULL) + asoc->peer_secid =3D SECINITSID_UNLABELED; + } else { + asoc->peer_secid =3D SECINITSID_UNLABELED; } =20 if (sksec->sctp_assoc_state =3D=3D SCTP_ASSOC_UNSET) { @@ -5279,8 +5280,8 @@ static int selinux_sctp_assoc_request(struct sctp_ass= ociation *asoc, * then it is approved by policy and used as the primary * peer SID for getpeercon(3). */ - sksec->peer_sid =3D peer_sid; - } else if (sksec->peer_sid !=3D peer_sid) { + sksec->peer_sid =3D asoc->peer_secid; + } else if (sksec->peer_sid !=3D asoc->peer_secid) { /* Other association peer SIDs are checked to enforce * consistency among the peer SIDs. */ @@ -5288,11 +5289,32 @@ static int selinux_sctp_assoc_request(struct sctp_a= ssociation *asoc, ad.u.net =3D &net; ad.u.net->sk =3D asoc->base.sk; err =3D avc_has_perm(&selinux_state, - sksec->peer_sid, peer_sid, sksec->sclass, - SCTP_SOCKET__ASSOCIATION, &ad); + sksec->peer_sid, asoc->peer_secid, + sksec->sclass, SCTP_SOCKET__ASSOCIATION, + &ad); if (err) return err; } + return 0; +} + +/* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This + * happens on an incoming connect(2), sctp_connectx(3) or + * sctp_sendmsg(3) (with no association already present). + */ +static int selinux_sctp_assoc_request(struct sctp_association *asoc, + struct sk_buff *skb) +{ + struct sk_security_struct *sksec =3D asoc->base.sk->sk_security; + u32 conn_sid; + int err; + + if (!selinux_policycap_extsockclass()) + return 0; + + err =3D selinux_sctp_process_new_assoc(asoc, skb); + if (err) + return err; =20 /* Compute the MLS component for the connection and store * the information in asoc. This will be used by SCTP TCP type @@ -5300,17 +5322,36 @@ static int selinux_sctp_assoc_request(struct sctp_a= ssociation *asoc, * socket to be generated. selinux_sctp_sk_clone() will then * plug this into the new socket. */ - err =3D selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); + err =3D selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid); if (err) return err; =20 asoc->secid =3D conn_sid; - asoc->peer_secid =3D peer_sid; =20 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ return selinux_netlbl_sctp_assoc_request(asoc, skb); } =20 +/* Called when SCTP receives a COOKIE ACK chunk as the final + * response to an association request (initited by us). + */ +static int selinux_sctp_assoc_established(struct sctp_association *asoc, + struct sk_buff *skb) +{ + struct sk_security_struct *sksec =3D asoc->base.sk->sk_security; + + if (!selinux_policycap_extsockclass()) + return 0; + + /* Inherit secid from the parent socket - this will be picked up + * by selinux_sctp_sk_clone() if the association gets peeled off + * into a new socket. + */ + asoc->secid =3D sksec->sid; + + return selinux_sctp_process_new_assoc(asoc, skb); +} + /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting * based on their @optname. */ @@ -7131,6 +7172,7 @@ static struct security_hook_list selinux_hooks[] __ls= m_ro_after_init =3D { LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), + LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established), LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), --=20 2.34.1