security: pass asoc to sctp_assoc_request and sctp_sk_clone (c081d53f) · Commits · EulixOS / Software / Kernel

Documentation/security/SCTP.rst

+14 −14

Original line number	Diff line number	Diff line
		@@ -26,11 +26,11 @@ described in the `SCTP SELinux Support`_ chapter.

		security_sctp_assoc_request()
		~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
		Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
		Passes the ``@asoc`` and ``@chunk->skb`` of the association INIT packet to the
		security module. Returns 0 on success, error on failure.
		::

		@ep - pointer to sctp endpoint structure.
		@asoc - pointer to sctp association structure.
		@skb - pointer to skbuff of association packet.


		@@ -117,9 +117,9 @@ Called whenever a new socket is created by accept\(2)
		calls sctp_peeloff\(3).
		::

		@ep - pointer to current sctp endpoint structure.
		@asoc - pointer to current sctp association structure.
		@sk - pointer to current sock structure.
		@sk - pointer to new sock structure.
		@newsk - pointer to new sock structure.


		security_inet_conn_established()
		@@ -200,22 +200,22 @@ hooks with the SELinux specifics expanded below::

		security_sctp_assoc_request()
		~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
		Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
		Passes the ``@asoc`` and ``@chunk->skb`` of the association INIT packet to the
		security module. Returns 0 on success, error on failure.
		::

		@ep - pointer to sctp endpoint structure.
		@asoc - pointer to sctp association structure.
		@skb - pointer to skbuff of association packet.

		The security module performs the following operations:
		IF this is the first association on ``@ep->base.sk``, then set the peer
		IF this is the first association on ``@asoc->base.sk``, then set the peer
		sid to that in ``@skb``. This will ensure there is only one peer sid
		assigned to ``@ep->base.sk`` that may support multiple associations.
		assigned to ``@asoc->base.sk`` that may support multiple associations.

		ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid``
		ELSE validate the ``@asoc->base.sk peer_sid`` against the ``@skb peer sid``
		to determine whether the association should be allowed or denied.

		Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with
		Set the sctp ``@asoc sid`` to socket's sid (from ``asoc->base.sk``) with
		MLS portion taken from ``@skb peer sid``. This will be used by SCTP
		TCP style sockets and peeled off connections as they cause a new socket
		to be generated.
		@@ -259,13 +259,13 @@ security_sctp_sk_clone()
		Called whenever a new socket is created by accept\(2) (i.e. a TCP style
		socket) or when a socket is 'peeled off' e.g userspace calls
		sctp_peeloff\(3). ``security_sctp_sk_clone()`` will set the new
		sockets sid and peer sid to that contained in the ``@ep sid`` and
		``@ep peer sid`` respectively.
		sockets sid and peer sid to that contained in the ``@asoc sid`` and
		``@asoc peer sid`` respectively.
		::

		@ep - pointer to current sctp endpoint structure.
		@asoc - pointer to current sctp association structure.
		@sk - pointer to current sock structure.
		@sk - pointer to new sock structure.
		@newsk - pointer to new sock structure.


		security_inet_conn_established()

include/linux/lsm_hook_defs.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -329,11 +329,11 @@ LSM_HOOK(int, 0, tun_dev_create, void)
		LSM_HOOK(int, 0, tun_dev_attach_queue, void *security)
		LSM_HOOK(int, 0, tun_dev_attach, struct sock sk, void security)
		LSM_HOOK(int, 0, tun_dev_open, void *security)
		LSM_HOOK(int, 0, sctp_assoc_request, struct sctp_endpoint *ep,
		LSM_HOOK(int, 0, sctp_assoc_request, struct sctp_association *asoc,
		struct sk_buff *skb)
		LSM_HOOK(int, 0, sctp_bind_connect, struct sock *sk, int optname,
		struct sockaddr *address, int addrlen)
		LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_endpoint *ep,
		LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_association *asoc,
		struct sock sk, struct sock newsk)
		#endif /* CONFIG_SECURITY_NETWORK */

include/linux/lsm_hooks.h

+4 −4

Original line number	Diff line number	Diff line
		@@ -1027,9 +1027,9 @@
		* Security hooks for SCTP
		*
		* @sctp_assoc_request:
		* Passes the @ep and @chunk->skb of the association INIT packet to
		* Passes the @asoc and @chunk->skb of the association INIT packet to
		* the security module.
		* @ep pointer to sctp endpoint structure.
		* @asoc pointer to sctp association structure.
		* @skb pointer to skbuff of association packet.
		* Return 0 on success, error on failure.
		* @sctp_bind_connect:
		@@ -1047,9 +1047,9 @@
		* Called whenever a new socket is created by accept(2) (i.e. a TCP
		* style socket) or when a socket is 'peeled off' e.g userspace
		* calls sctp_peeloff(3).
		* @ep pointer to current sctp endpoint structure.
		* @asoc pointer to current sctp association structure.
		* @sk pointer to current sock structure.
		* @sk pointer to new sock structure.
		* @newsk pointer to new sock structure.
		*
		* Security hooks for Infiniband
		*

include/linux/security.h

+5 −5

Original line number	Diff line number	Diff line
		@@ -179,7 +179,7 @@ struct xfrm_policy;
		struct xfrm_state;
		struct xfrm_user_sec_ctx;
		struct seq_file;
		struct sctp_endpoint;
		struct sctp_association;

		#ifdef CONFIG_MMU
		extern unsigned long mmap_min_addr;
		@@ -1425,10 +1425,10 @@ int security_tun_dev_create(void);
		int security_tun_dev_attach_queue(void *security);
		int security_tun_dev_attach(struct sock sk, void security);
		int security_tun_dev_open(void *security);
		int security_sctp_assoc_request(struct sctp_endpoint ep, struct sk_buff skb);
		int security_sctp_assoc_request(struct sctp_association asoc, struct sk_buff skb);
		int security_sctp_bind_connect(struct sock *sk, int optname,
		struct sockaddr *address, int addrlen);
		void security_sctp_sk_clone(struct sctp_endpoint ep, struct sock sk,
		void security_sctp_sk_clone(struct sctp_association asoc, struct sock sk,
		struct sock *newsk);

		#else /* CONFIG_SECURITY_NETWORK */
		@@ -1631,7 +1631,7 @@ static inline int security_tun_dev_open(void *security)
		return 0;
		}

		static inline int security_sctp_assoc_request(struct sctp_endpoint *ep,
		static inline int security_sctp_assoc_request(struct sctp_association *asoc,
		struct sk_buff *skb)
		{
		return 0;
		@@ -1644,7 +1644,7 @@ static inline int security_sctp_bind_connect(struct sock *sk, int optname,
		return 0;
		}

		static inline void security_sctp_sk_clone(struct sctp_endpoint *ep,
		static inline void security_sctp_sk_clone(struct sctp_association *asoc,
		struct sock *sk,
		struct sock *newsk)
		{

include/net/sctp/structs.h

+10 −10

Original line number	Diff line number	Diff line
		@@ -1355,16 +1355,6 @@ struct sctp_endpoint {
		reconf_enable:1;

		__u8 strreset_enable;

		/* Security identifiers from incoming (INIT). These are set by
		* security_sctp_assoc_request(). These will only be used by
		* SCTP TCP type sockets and peeled off connections as they
		* cause a new socket to be generated. security_sctp_sk_clone()
		* will then plug these into the new socket.
		*/

		u32 secid;
		u32 peer_secid;
		};

		/* Recover the outter endpoint structure. */
		@@ -2104,6 +2094,16 @@ struct sctp_association {
		__u64 abandoned_unsent[SCTP_PR_INDEX(MAX) + 1];
		__u64 abandoned_sent[SCTP_PR_INDEX(MAX) + 1];

		/* Security identifiers from incoming (INIT). These are set by
		* security_sctp_assoc_request(). These will only be used by
		* SCTP TCP type sockets and peeled off connections as they
		* cause a new socket to be generated. security_sctp_sk_clone()
		* will then plug these into the new socket.
		*/

		u32 secid;
		u32 peer_secid;

		struct rcu_head rcu;
		};