Commit c269497d authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'selinux-pr-20220321' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux 

Pull selinux updates from Paul Moore:
 "We've got a number of SELinux patches queued up, the highlights are:

   - Fixup the security_fs_context_parse_param() LSM hook so it executes
     all of the LSM hook implementations unless a serious error occurs.

     We also correct the SELinux hook implementation so that it returns
     zero on success.

   - In addition to a few SELinux mount option parsing fixes, we
     simplified the parsing by moving it earlier in the process.

     The logic was that it was unlikely an admin/user would use the new
     mount API and not have the policy loaded before passing the SELinux
     options.

   - Properly fixed the LSM/SELinux/SCTP hooks with the addition of the
     security_sctp_assoc_established() hook.

     This work was done in conjunction with the netdev folks and should
     complete the move of the SCTP labeling from the endpoints to the
     associations.

   - Fixed a variety of sparse warnings caused by changes in the "__rcu"
     markings of some core kernel structures.

   - Ensure we access the superblock's LSM security blob using the
     stacking-safe accessors.

   - Added the ability for the kernel to always allow FIOCLEX and
     FIONCLEX if the "ioctl_skip_cloexec" policy capability is
     specified.

   - Various constifications improvements, type casting improvements,
     additional return value checks, and dead code/parameter removal.

   - Documentation fixes"

* tag 'selinux-pr-20220321' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: (23 commits)
  selinux: shorten the policy capability enum names
  docs: fix 'make htmldocs' warning in SCTP.rst
  selinux: allow FIOCLEX and FIONCLEX with policy capability
  selinux: use correct type for context length
  selinux: drop return statement at end of void functions
  security: implement sctp_assoc_established hook in selinux
  security: add sctp_assoc_established hook
  selinux: parse contexts for mount options early
  selinux: various sparse fixes
  selinux: try to use preparsed sid before calling parse_sid()
  selinux: Fix selinux_sb_mnt_opts_compat()
  LSM: general protection fault in legacy_parse_param
  selinux: fix a type cast problem in cred_init_security()
  selinux: drop unused macro
  selinux: simplify cred_init_security
  selinux: do not discard const qualifier in cast
  selinux: drop unused parameter of avtab_insert_node
  selinux: drop cast to same type
  selinux: enclose macro arguments in parenthesis
  selinux: declare name parameter of hash_eval const
  ...
parents 7f313ff0 cdbec3ed

Documentation/security/SCTP.rst

+12 −14
Original line number Diff line number Diff line
@@ -15,10 +15,7 @@ For security module support, three SCTP specific hooks have been implemented:: 
    security_sctp_assoc_request()

    security_sctp_bind_connect()

    security_sctp_sk_clone()



Also the following security hook has been utilised::



    security_inet_conn_established()

    security_sctp_assoc_established()



The usage of these hooks are described below with the SELinux implementation

described in the `SCTP SELinux Support`_ chapter.
@@ -122,11 +119,12 @@ calls **sctp_peeloff**\(3). 
    @newsk - pointer to new sock structure.





security_inet_conn_established()

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Called when a COOKIE ACK is received::

security_sctp_assoc_established()

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Called when a COOKIE ACK is received, and the peer secid will be

saved into ``@asoc->peer_secid`` for client::



    @sk  - pointer to sock structure.

    @asoc - pointer to sctp association structure.

    @skb - pointer to skbuff of the COOKIE ACK packet.
@@ -134,7 +132,7 @@ Security Hooks used for Association Establishment 
-------------------------------------------------



The following diagram shows the use of ``security_sctp_bind_connect()``,

``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when

``security_sctp_assoc_request()``, ``security_sctp_assoc_established()`` when

establishing an association.

::
@@ -172,7 +170,7 @@ establishing an association. 
          <------------------------------------------- COOKIE ACK

          |                                               |

    sctp_sf_do_5_1E_ca                                    |

 Call security_inet_conn_established()                    |

 Call security_sctp_assoc_established()                   |

 to set the peer label.                                   |

          |                                               |

          |                               If SCTP_SOCKET_TCP or peeled off
@@ -198,7 +196,7 @@ hooks with the SELinux specifics expanded below:: 
    security_sctp_assoc_request()

    security_sctp_bind_connect()

    security_sctp_sk_clone()

    security_inet_conn_established()

    security_sctp_assoc_established()





security_sctp_assoc_request()
@@ -271,12 +269,12 @@ sockets sid and peer sid to that contained in the ``@asoc sid`` and 
    @newsk - pointer to new sock structure.





security_inet_conn_established()

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

security_sctp_assoc_established()

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Called when a COOKIE ACK is received where it sets the connection's peer sid

to that in ``@skb``::



    @sk  - pointer to sock structure.

    @asoc - pointer to sctp association structure.

    @skb - pointer to skbuff of the COOKIE ACK packet.

include/linux/lsm_hook_defs.h

+2 −0
Original line number Diff line number Diff line
@@ -332,6 +332,8 @@ LSM_HOOK(int, 0, sctp_bind_connect, struct sock *sk, int optname, 
	 struct sockaddr *address, int addrlen)

LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_association *asoc,

	 struct sock *sk, struct sock *newsk)

LSM_HOOK(int, 0, sctp_assoc_established, struct sctp_association *asoc,

	 struct sk_buff *skb)

#endif /* CONFIG_SECURITY_NETWORK */



#ifdef CONFIG_SECURITY_INFINIBAND

include/linux/lsm_hooks.h

+5 −0
Original line number Diff line number Diff line
@@ -1046,6 +1046,11 @@ 
 *	@asoc pointer to current sctp association structure.

 *	@sk pointer to current sock structure.

 *	@newsk pointer to new sock structure.

 * @sctp_assoc_established:

 *	Passes the @asoc and @chunk->skb of the association COOKIE_ACK packet

 *	to the security module.

 *	@asoc pointer to sctp association structure.

 *	@skb pointer to skbuff of association packet.

 *

 * Security hooks for Infiniband

 *

include/linux/security.h

+8 −0
Original line number Diff line number Diff line
@@ -1422,6 +1422,8 @@ int security_sctp_bind_connect(struct sock *sk, int optname, 
			       struct sockaddr *address, int addrlen);

void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,

			    struct sock *newsk);

int security_sctp_assoc_established(struct sctp_association *asoc,

				    struct sk_buff *skb);



#else	/* CONFIG_SECURITY_NETWORK */

static inline int security_unix_stream_connect(struct sock *sock,
@@ -1641,6 +1643,12 @@ static inline void security_sctp_sk_clone(struct sctp_association *asoc, 
					  struct sock *newsk)

{

}



static inline int security_sctp_assoc_established(struct sctp_association *asoc,

						  struct sk_buff *skb)

{

	return 0;

}

#endif	/* CONFIG_SECURITY_NETWORK */



#ifdef CONFIG_SECURITY_INFINIBAND

net/sctp/sm_statefuns.c

+5 −3
Original line number Diff line number Diff line
@@ -930,6 +930,11 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, 
	if (!sctp_vtag_verify(chunk, asoc))

		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);



	/* Set peer label for connection. */

	if (security_sctp_assoc_established((struct sctp_association *)asoc,

					    chunk->skb))

		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);



	/* Verify that the chunk length for the COOKIE-ACK is OK.

	 * If we don't do this, any bundled chunks may be junked.

	 */
@@ -945,9 +950,6 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, 
	 */

	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());



	/* Set peer label for connection. */

	security_inet_conn_established(ep->base.sk, chunk->skb);



	/* RFC 2960 5.1 Normal Establishment of an Association

	 *

	 * E) Upon reception of the COOKIE ACK, endpoint "A" will move