[PATCH 2/2] selinux: Implement mptcp_add_subflow hook
Paolo Abeni
pabeni at redhat.com
Wed Dec 14 22:01:58 UTC 2022
Newly added subflows should inherit the associated label
from the current process context, regarless of the sk_kern_sock
flag value.
This patch implements the above resetting the subflow sid, deleting
the existing subflow label, if any, and then re-creating a new one.
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
---
security/selinux/hooks.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3c5be76a9199..cbb4c711c502 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5476,6 +5476,35 @@ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk
selinux_netlbl_sctp_sk_clone(sk, newsk);
}
+static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
+{
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
+ struct sk_security_struct *ssksec = ssk->sk_security;
+ u16 sclass;
+ u32 sid;
+ int err;
+
+ /* create the sid using the current cred, regardless of the ssk kern
+ * flag
+ */
+ sclass = socket_type_to_security_class(ssk->sk_family, ssk->sk_type,
+ ssk->sk_protocol);
+ err = socket_sockcreate_sid(tsec, sclass, &sid);
+ if (err)
+ return err;
+
+ ssksec->sid = sid;
+
+ /* replace the existing subflow label with the new one
+ * inherited from the mptcp socket
+ */
+ if (ssksec->nlbl_secattr != NULL) {
+ netlbl_secattr_free(ssksec->nlbl_secattr);
+ ssksec->nlbl_secattr = NULL;
+ }
+ return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
+}
+
static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
struct request_sock *req)
{
@@ -7216,6 +7245,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
+ LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
--
2.38.1
More information about the Linux-security-module-archive
mailing list