[PATCH 1/6] LSM: Infrastructure management of the sock security
Casey Schaufler
casey at schaufler-ca.com
Tue Jul 9 23:29:14 UTC 2024
On 7/9/2024 4:05 PM, Paul Moore wrote:
> On Tue, Jul 9, 2024 at 7:00 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>> On 7/9/2024 12:15 PM, Paul Moore wrote:
>>> On Mon, Jul 8, 2024 at 5:40 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>>>> Move management of the sock->sk_security blob out
>>>> of the individual security modules and into the security
>>>> infrastructure. Instead of allocating the blobs from within
>>>> the modules the modules tell the infrastructure how much
>>>> space is required, and the space is allocated there.
>>>>
>>>> Acked-by: Paul Moore <paul at paul-moore.com>
>>>> Reviewed-by: Kees Cook <keescook at chromium.org>
>>>> Reviewed-by: John Johansen <john.johansen at canonical.com>
>>>> Acked-by: Stephen Smalley <stephen.smalley.work at gmail.com>
>>>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>>>> ---
>>>> include/linux/lsm_hooks.h | 1 +
>>>> security/apparmor/include/net.h | 3 +-
>>>> security/apparmor/lsm.c | 17 +------
>>>> security/apparmor/net.c | 2 +-
>>>> security/security.c | 36 +++++++++++++-
>>>> security/selinux/hooks.c | 80 ++++++++++++++-----------------
>>>> security/selinux/include/objsec.h | 5 ++
>>>> security/selinux/netlabel.c | 23 ++++-----
>>>> security/smack/smack.h | 5 ++
>>>> security/smack/smack_lsm.c | 70 +++++++++++++--------------
>>>> security/smack/smack_netfilter.c | 4 +-
>>>> 11 files changed, 133 insertions(+), 113 deletions(-)
>>> ..
>>>
>>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>>> index 7eed331e90f0..19346e1817ff 100644
>>>> --- a/security/selinux/hooks.c
>>>> +++ b/security/selinux/hooks.c
>>>> @@ -5495,8 +5488,8 @@ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk
>>>>
>>>> static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
>>>> {
>>>> - struct sk_security_struct *ssksec = ssk->sk_security;
>>>> - struct sk_security_struct *sksec = sk->sk_security;
>>>> + struct sk_security_struct *ssksec = selinux_sock(ssk);
>>>> + struct sk_security_struct *sksec = selinux_sock(sk);
>>>>
>>>> ssksec->sclass = sksec->sclass;
>>>> ssksec->sid = sksec->sid;
>>> That's new :)
>>>
>>> Unfortunately I merged a previous version of this patch into lsm/dev a
>>> couple of weeks ago (see below) which appears to have a bug based on
>>> the changes in this revision (lore link below). While I'm generally
>>> adverse to popping patches off the lsm/dev branch so as to not upset
>>> any ongoing development work, given that we are at -rc7 it's probably
>>> okay and much cleaner than doing a full revert; I'll remove that
>>> commit now.
>> Sorry 'bout that. I had troubles with kernels built from lsm/dev crashing,
>> so I switched to linus' tree.
> No worries, that's fine, my policy is that I'll typically resolve
> merge conflicts so long as the patches are based on either Linus' or
> the subsystem tree. In this case it turned out to be a good thing as
> it highlighted the MPTCP omission in the commit merged into lsm/dev.
>
> However, do you have any more detail on the lsm/dev crashes you are
> seeing? I wonder if it is general v6.10-rc1 instability ...
Alas, no. My VMs just stopped hard, with no panic or traces.
The problem went away with rc3 (I did almost nothing with rc2)
so I shrugged it off and moved on.
More information about the Linux-security-module-archive
mailing list