SO_PEERSEC protections in sk_getsockopt()?
Paul Moore
paul at paul-moore.com
Fri Oct 7 17:43:15 UTC 2022
On Wed, Oct 5, 2022 at 4:44 PM Paul Moore <paul at paul-moore.com> wrote:
>
> Hi Martin,
>
> In commit 4ff09db1b79b ("bpf: net: Change sk_getsockopt() to take the
> sockptr_t argument") I see you wrapped the getsockopt value/len
> pointers with sockptr_t and in the SO_PEERSEC case you pass the
> sockptr_t:user field to avoid having to update the LSM hook and
> implementations. I think that's fine, especially as you note that
> eBPF does not support fetching the SO_PEERSEC information, but I think
> it would be good to harden this case to prevent someone from calling
> sk_getsockopt(SO_PEERSEC) with kernel pointers. What do you think of
> something like this?
>
> static int sk_getsockopt(...)
> {
> /* ... */
> case SO_PEERSEC:
> if (optval.is_kernel || optlen.is_kernel)
> return -EINVAL;
> return security_socket_getpeersec_stream(...);
> /* ... */
> }
Any thoughts on this Martin, Alexei? It would be nice to see this
fixed soon ...
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list