[PATCH v1 net 2/2] dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
Paul Moore
paul at paul-moore.com
Mon Oct 30 22:00:00 UTC 2023
On Mon, Oct 30, 2023 at 5:20 PM Kuniyuki Iwashima <kuniyu at amazon.com> wrote:
> From: Paul Moore <paul at paul-moore.com>
> Date: Mon, 30 Oct 2023 17:12:33 -0400
> > On Mon, Oct 30, 2023 at 4:12 PM Kuniyuki Iwashima <kuniyu at amazon.com> wrote:
> > >
> > > Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child
> > > sockets") introduced security_inet_conn_request() in some functions
> > > where reqsk is allocated. The hook is added just after the allocation,
> > > so reqsk's IPv6 remote address was not initialised then.
> > >
> > > However, SELinux/Smack started to read it in netlbl_req_setattr()
> > > after commit e1adea927080 ("calipso: Allow request sockets to be
> > > relabelled by the lsm.").
> > >
> > > Commit 284904aa7946 ("lsm: Relocate the IPv4 security_inet_conn_request()
> > > hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was
> > > not supported at that time. Finally, the same issue was introduced again
> > > in IPv6.
> > >
> > > Let's apply the same fix on DCCPv6 and TCPv6.
> > >
> > > Fixes: e1adea927080 ("calipso: Allow request sockets to be relabelled by the lsm.")
> > > Signed-off-by: Kuniyuki Iwashima <kuniyu at amazon.com>
> > > ---
> > > Cc: Huw Davies <huw at codeweavers.com>
> > > Cc: Paul Moore <paul at paul-moore.com>
> > > ---
> > > net/dccp/ipv6.c | 6 +++---
> > > net/ipv6/syncookies.c | 7 ++++---
> > > 2 files changed, 7 insertions(+), 6 deletions(-)
> >
> > Thanks for catching this and submitting a patch!
> >
> > It seems like we should also update dccp_v4_conn_request(), what do you think?
>
> Yes, and it's done in patch 1 as it had a separate Fixes tag.
> https://lore.kernel.org/netdev/20231030201042.32885-2-kuniyu@amazon.com/
Great, thanks for doing that. netdev folks, please feel free to add
my ACK to both patches in the patchset.
Acked-by: Paul Moore <paul at paul-moore.com>
> It seems get_maintainers.pl suggested another email address of
> yours for patch 1. It would be good to update .mailmap ;)
Yes, I really should, thanks for the reminder. I'll send an update to
Linus once I get the merge window PRs sorted out.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list