[PATCH v1 net 2/2] dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
Kuniyuki Iwashima
kuniyu at amazon.com
Mon Oct 30 21:20:15 UTC 2023
From: Paul Moore <paul at paul-moore.com>
Date: Mon, 30 Oct 2023 17:12:33 -0400
> On Mon, Oct 30, 2023 at 4:12 PM Kuniyuki Iwashima <kuniyu at amazon.com> wrote:
> >
> > Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child
> > sockets") introduced security_inet_conn_request() in some functions
> > where reqsk is allocated. The hook is added just after the allocation,
> > so reqsk's IPv6 remote address was not initialised then.
> >
> > However, SELinux/Smack started to read it in netlbl_req_setattr()
> > after commit e1adea927080 ("calipso: Allow request sockets to be
> > relabelled by the lsm.").
> >
> > Commit 284904aa7946 ("lsm: Relocate the IPv4 security_inet_conn_request()
> > hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was
> > not supported at that time. Finally, the same issue was introduced again
> > in IPv6.
> >
> > Let's apply the same fix on DCCPv6 and TCPv6.
> >
> > Fixes: e1adea927080 ("calipso: Allow request sockets to be relabelled by the lsm.")
> > Signed-off-by: Kuniyuki Iwashima <kuniyu at amazon.com>
> > ---
> > Cc: Huw Davies <huw at codeweavers.com>
> > Cc: Paul Moore <paul at paul-moore.com>
> > ---
> > net/dccp/ipv6.c | 6 +++---
> > net/ipv6/syncookies.c | 7 ++++---
> > 2 files changed, 7 insertions(+), 6 deletions(-)
>
> Thanks for catching this and submitting a patch!
>
> It seems like we should also update dccp_v4_conn_request(), what do you think?
Yes, and it's done in patch 1 as it had a separate Fixes tag.
https://lore.kernel.org/netdev/20231030201042.32885-2-kuniyu@amazon.com/
It seems get_maintainers.pl suggested another email address of
yours for patch 1. It would be good to update .mailmap ;)
Thanks!
More information about the Linux-security-module-archive
mailing list