From patchwork Fri May 4 14:28:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Herrmann X-Patchwork-Id: 908787 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="KE5I2iBS"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40cvZb4g9xz9s1d for ; Sat, 5 May 2018 00:31:03 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751740AbeEDO3p (ORCPT ); Fri, 4 May 2018 10:29:45 -0400 Received: from mail-wr0-f196.google.com ([209.85.128.196]:41608 "EHLO mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751602AbeEDO3m (ORCPT ); Fri, 4 May 2018 10:29:42 -0400 Received: by mail-wr0-f196.google.com with SMTP id g21-v6so21291429wrb.8; Fri, 04 May 2018 07:29:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=PboVMWGJc5rAMdk6Q2kd/hwIwExYP8pQ3sOiDydGgUw=; b=KE5I2iBSc2cHcLzypo9C3KeMmhfCsps+rwsZnGcqP1FgEofBW5SFNh0AXPOy5LpivD vYCIOPH0DhdQTyESf0ZLzMz+bNWxpuN1wk19uFYlCFfyFYAewgmgVJSvwlInrjDXGxCl bKDBS50NX25Aj23V2jw5CEm/DnVS7PV4Qqj8ctFXHzWu6/s9vHEoYj6Od7/lufQePsrD XSJhpWtgdpVK5xqALQ/oMcJAn95s7MPW6F4g+VsAJdHdfF8acx94/WKENgIyZVvxJKwO 4B0V9jh7ghdH3BxoNaubPi2TfHXBMCox12EnkvLM46rcwyNc26HGFMyRQFr+jCn1emAl lxDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=PboVMWGJc5rAMdk6Q2kd/hwIwExYP8pQ3sOiDydGgUw=; b=UD5gYv6/T7DDHWrRJJoz+t/dLzNBDdrO86llsDR8PEhY5LLdhEE+lcOouzm+rmS2sV PJ+0+xop+7TC4P0cghE/JLMx3+8fRvv7NCkmvoukvbKmKSdwNWcRP/9tMzG9xkscywXz g4tV43mfO/kg5R42fbzcLd5TUhk9DWKLYo14IMdGoU3Aed5h/MwRjgkQL1z0JgOwbBft fGuzZo2ADqnIF16TXGNbHe2jgaaXrx/1i/6tkRAq8ecY3r+hL0rTBvQyRYYRDF8aNLN/ vydhKYUryDG5rT7KIM09M2tQqs4vra0ra1rFQaKhf7SOBL0XUiEAhZnzB7hq/Y1wy+1e QIZQ== X-Gm-Message-State: ALQs6tDv54ki2F98xKBI6BkGDvEmmhyenYzyuBA+38kTvss782uLZP7q 7l+AAzW9g9BTZBPusitMV6qcjg== X-Google-Smtp-Source: AB8JxZrZLsUwfDLmqkHB9Sl70hNLST/9yWnAt9FePWwYuZMnhNZkRLaWz2wvgfFBhNzWJY8GdzRwQw== X-Received: by 2002:adf:a158:: with SMTP id r24-v6mr22049451wrr.191.1525444180898; Fri, 04 May 2018 07:29:40 -0700 (PDT) Received: from david-x1.fritz.box (p200300C2A3D634001758913C97055056.dip0.t-ipconnect.de. [2003:c2:a3d6:3400:1758:913c:9705:5056]) by smtp.gmail.com with ESMTPSA id h8-v6sm1474907wmc.16.2018.05.04.07.29.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 May 2018 07:29:40 -0700 (PDT) From: David Herrmann To: linux-kernel@vger.kernel.org Cc: James Morris , Paul Moore , teg@jklm.no, Stephen Smalley , selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org, Eric Paris , serge@hallyn.com, Casey Schaufler , davem@davemloft.net, netdev@vger.kernel.org, David Herrmann Subject: [PATCH v2 1/4] security: add hook for socketpair() Date: Fri, 4 May 2018 16:28:19 +0200 Message-Id: <20180504142822.15233-2-dh.herrmann@gmail.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180504142822.15233-1-dh.herrmann@gmail.com> References: <20180504142822.15233-1-dh.herrmann@gmail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Right now the LSM labels for socketpairs are always uninitialized, since there is no security hook for the socketpair() syscall. This patch adds the required hooks so LSMs can properly label socketpairs. This allows SO_PEERSEC to return useful information on those sockets. Note that the behavior of socketpair() can be emulated by creating a listener socket, connecting to it, and then discarding the initial listener socket. With this workaround, SO_PEERSEC would return the caller's security context. However, with socketpair(), the uninitialized context is returned unconditionally. This is unexpected and makes socketpair() less useful in situations where the security context is crucial to the application. With the new socketpair-hook this disparity can be solved by making socketpair() return the expected security context. Acked-by: Serge Hallyn Signed-off-by: Tom Gundersen Signed-off-by: David Herrmann --- include/linux/lsm_hooks.h | 7 +++++++ include/linux/security.h | 7 +++++++ security/security.c | 6 ++++++ 3 files changed, 20 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 9d0b286f3dba..8f1131c8dd54 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -757,6 +757,11 @@ * @type contains the requested communications type. * @protocol contains the requested protocol. * @kern set to 1 if a kernel socket. + * @socket_socketpair: + * Check permissions before creating a fresh pair of sockets. + * @socka contains the first socket structure. + * @sockb contains the second socket structure. + * Return 0 if permission is granted and the connection was established. * @socket_bind: * Check permission before socket protocol layer bind operation is * performed and the socket @sock is bound to the address specified in the @@ -1656,6 +1661,7 @@ union security_list_options { int (*socket_create)(int family, int type, int protocol, int kern); int (*socket_post_create)(struct socket *sock, int family, int type, int protocol, int kern); + int (*socket_socketpair)(struct socket *socka, struct socket *sockb); int (*socket_bind)(struct socket *sock, struct sockaddr *address, int addrlen); int (*socket_connect)(struct socket *sock, struct sockaddr *address, @@ -1922,6 +1928,7 @@ struct security_hook_heads { struct hlist_head unix_may_send; struct hlist_head socket_create; struct hlist_head socket_post_create; + struct hlist_head socket_socketpair; struct hlist_head socket_bind; struct hlist_head socket_connect; struct hlist_head socket_listen; diff --git a/include/linux/security.h b/include/linux/security.h index 200920f521a1..4ff3ba457e56 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1191,6 +1191,7 @@ int security_unix_may_send(struct socket *sock, struct socket *other); int security_socket_create(int family, int type, int protocol, int kern); int security_socket_post_create(struct socket *sock, int family, int type, int protocol, int kern); +int security_socket_socketpair(struct socket *socka, struct socket *sockb); int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen); int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen); int security_socket_listen(struct socket *sock, int backlog); @@ -1262,6 +1263,12 @@ static inline int security_socket_post_create(struct socket *sock, return 0; } +static inline int security_socket_socketpair(struct socket *socka, + struct socket *sockb) +{ + return 0; +} + static inline int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) diff --git a/security/security.c b/security/security.c index 7bc2fde023a7..68f46d849abe 100644 --- a/security/security.c +++ b/security/security.c @@ -1358,6 +1358,12 @@ int security_socket_post_create(struct socket *sock, int family, protocol, kern); } +int security_socket_socketpair(struct socket *socka, struct socket *sockb) +{ + return call_int_hook(socket_socketpair, 0, socka, sockb); +} +EXPORT_SYMBOL(security_socket_socketpair); + int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) { return call_int_hook(socket_bind, 0, sock, address, addrlen); From patchwork Fri May 4 14:28:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Herrmann X-Patchwork-Id: 908785 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="NWLLskfc"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40cvYn758Sz9s1d for ; Sat, 5 May 2018 00:30:21 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751777AbeEDO3r (ORCPT ); Fri, 4 May 2018 10:29:47 -0400 Received: from mail-wr0-f195.google.com ([209.85.128.195]:41610 "EHLO mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751519AbeEDO3n (ORCPT ); Fri, 4 May 2018 10:29:43 -0400 Received: by mail-wr0-f195.google.com with SMTP id g21-v6so21291499wrb.8; Fri, 04 May 2018 07:29:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=4pXhCCZFpE7JS/nGNLy23AAPmemE36eXbcQyJ6dReL4=; b=NWLLskfccf74GIGFF0WIEHi+y99/EEgcSnou9q8zimgP9vOH5WT7twQlvdiMEkejU8 Jda2I4CFSB0kT6+vFjMvkO4BX9aaYBbPl+c5UBUc/rDfQ8HqOutFqNlNgM3hwUC9KkMv OsEpixDaaGBLrUK+ak1sWMoKMVAC+Fhk29oq5cz1gqCPNcHP2l5gIXiyhC0OYvJbHdoT PQvo6ziALd4QdOzG8x9nFuZhOuRXeYszSj62JhKTuqQLkFfUMfZes8aWhD00i5ZLhkG6 PQFnroeZKWZtP2DQftzGiGnKpZLyKvkE/f6+AG3X+hggMJOMHVIciV6PPsW5wM7AZz9Y QCag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=4pXhCCZFpE7JS/nGNLy23AAPmemE36eXbcQyJ6dReL4=; b=BxikJhUuHK6aSSbaD+Ru93/+nvH9JtHoi+Rq2F6Peo0zLj07ou5C2LxLwL3xmptCgc ZikqCmQid3/k8SfTGrOyA3T9Z/SHH63HVda7kGoox4L2tRnY8daLeTVBfTIOtUm45P1f ixY17tI9MoUyey/UvqIM9Xn8r7yvnl+9WQ3RWW+xI/x/+D/2kw3dtNgfl8na2K5PGAaR X/jvn95osAb3jC7jKeuC35Xp8gqwZz+NNsqK5Wz0EjY1WkFW45yM9s+KF7lHGrIrcG4T J6p0ALB1p8sQkpALa3RDRPOPBXZzZHhnXzB9nZPcyVQBPyrYJLl/NZjhm15mhtTA+6RS 775Q== X-Gm-Message-State: ALQs6tAXPmfsKQTiayVN66tyT4IeHghuRO56nsNj+styKr9BdTCwX3Wl b6aOxt6SB5fpBgccu6GGJ9ltzg== X-Google-Smtp-Source: AB8JxZrEYGoK+4Gzhepx/xLIshJHe4phDdNznWL8wMEwO3MH/cCzLDC2/GUG9S0Z/Lri2zeay4HO0A== X-Received: by 2002:adf:9d0d:: with SMTP id k13-v6mr22848793wre.179.1525444182037; Fri, 04 May 2018 07:29:42 -0700 (PDT) Received: from david-x1.fritz.box (p200300C2A3D634001758913C97055056.dip0.t-ipconnect.de. [2003:c2:a3d6:3400:1758:913c:9705:5056]) by smtp.gmail.com with ESMTPSA id h8-v6sm1474907wmc.16.2018.05.04.07.29.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 May 2018 07:29:41 -0700 (PDT) From: David Herrmann To: linux-kernel@vger.kernel.org Cc: James Morris , Paul Moore , teg@jklm.no, Stephen Smalley , selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org, Eric Paris , serge@hallyn.com, Casey Schaufler , davem@davemloft.net, netdev@vger.kernel.org, David Herrmann Subject: [PATCH v2 2/4] net: hook socketpair() into LSM Date: Fri, 4 May 2018 16:28:20 +0200 Message-Id: <20180504142822.15233-3-dh.herrmann@gmail.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180504142822.15233-1-dh.herrmann@gmail.com> References: <20180504142822.15233-1-dh.herrmann@gmail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Use the newly created LSM-hook for socketpair(). The default hook return-value is 0, so behavior stays the same unless LSMs start using this hook. Acked-by: Serge Hallyn Signed-off-by: Tom Gundersen Signed-off-by: David Herrmann Acked-by: David S. Miller --- net/socket.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/socket.c b/net/socket.c index f10f1d947c78..667a7b397134 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1420,6 +1420,13 @@ int __sys_socketpair(int family, int type, int protocol, int __user *usockvec) goto out; } + err = security_socket_socketpair(sock1, sock2); + if (unlikely(err)) { + sock_release(sock2); + sock_release(sock1); + goto out; + } + err = sock1->ops->socketpair(sock1, sock2); if (unlikely(err < 0)) { sock_release(sock2); From patchwork Fri May 4 14:28:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Herrmann X-Patchwork-Id: 908788 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="ngqrTpJz"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40cvZy1NVjz9s1d for ; Sat, 5 May 2018 00:31:22 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751554AbeEDObI (ORCPT ); Fri, 4 May 2018 10:31:08 -0400 Received: from mail-wr0-f196.google.com ([209.85.128.196]:38687 "EHLO mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751654AbeEDO3p (ORCPT ); Fri, 4 May 2018 10:29:45 -0400 Received: by mail-wr0-f196.google.com with SMTP id 94-v6so19991994wrf.5; Fri, 04 May 2018 07:29:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=CyFjPGpYpKX9A3IoTWn4xrYYFdzZEbZHORcOnNY4DZw=; b=ngqrTpJzoXn1pS/LZwDOYzvXuzxk3oWBKbG3H8IfJ5H2IXW4fHVKev3e8ncd0Lb8Z/ rBLUFw+RcR1ckVXyguGAjsYgh2p9ffv607OsdjMjJHlPwNfuUVeMCKvikpd9NOp9s+H5 o4Ukg1T0iIT0Oq6NkMVf8js3eciBhwwMqfPxNXS1NXU0PziWWmvR+0r9jOeomWisakrI uMpgE0IF+MD2HGHOiK3JjKIB4IbNzqkRzoccQGxRgKs2Vt0J7D9r3pH6uLomlun8UTID Z6qQTrn2lDo+LzCjXHZyfuocm8KLI1TypKxQfgr2S96rLZ2sMJD7q4EW2YtCwe/rtTUV 7Vaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=CyFjPGpYpKX9A3IoTWn4xrYYFdzZEbZHORcOnNY4DZw=; b=BQK+Qp5Z3uDGy8eyUPVEHgZ6mlXs+U0tJUsuCW0Lfh4Nzp7sLMXx5uSseYhoS/o9p0 qnuWtcrc/2DUKzf8gFgiyJwbJvkwHqP4jefWGx2V8Sw2zsrnXDixhrTuXb02UlpnM6gY Hv/hxw71fj74x+tRXk2zRlUB4DiNtRIjyhLFzuuC5A0yGxNZXmyIHtJ5ADizk+usmt4A 3Dm7I0nz89OK0CfSJwU3z3AP59gejjWu7FjiLIbnjKmBDnPGqoOit4Wj9n3v9VX+JqQr dkzN6Ga+ZIyA4NYhaFTIhAHhqc/RPKe/E1n0glL8wWYK9NZd3b77Nk9q9UXkkm0vG0py 0fZg== X-Gm-Message-State: ALQs6tA9oGyKYdIgk4WGj+OuBvhDWseMQNuIiFyvP2xYTVCK+Pm556+r WEPBlvBgaxuHAP1NR3jS4lfr2g== X-Google-Smtp-Source: AB8JxZq3D00P3eUDIwlZI0xLA1vGYM5x7KihME3mQJuNiwHsRCU2kxsMEPS9dlRZ1VcnfZCVhL0epA== X-Received: by 2002:adf:e287:: with SMTP id v7-v6mr5045662wri.54.1525444183281; Fri, 04 May 2018 07:29:43 -0700 (PDT) Received: from david-x1.fritz.box (p200300C2A3D634001758913C97055056.dip0.t-ipconnect.de. [2003:c2:a3d6:3400:1758:913c:9705:5056]) by smtp.gmail.com with ESMTPSA id h8-v6sm1474907wmc.16.2018.05.04.07.29.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 May 2018 07:29:42 -0700 (PDT) From: David Herrmann To: linux-kernel@vger.kernel.org Cc: James Morris , Paul Moore , teg@jklm.no, Stephen Smalley , selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org, Eric Paris , serge@hallyn.com, Casey Schaufler , davem@davemloft.net, netdev@vger.kernel.org, David Herrmann Subject: [PATCH v2 3/4] selinux: provide socketpair callback Date: Fri, 4 May 2018 16:28:21 +0200 Message-Id: <20180504142822.15233-4-dh.herrmann@gmail.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180504142822.15233-1-dh.herrmann@gmail.com> References: <20180504142822.15233-1-dh.herrmann@gmail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Make sure to implement the new socketpair callback so the SO_PEERSEC call on socketpair(2)s will return correct information. Acked-by: Serge Hallyn Acked-by: Stephen Smalley Signed-off-by: Tom Gundersen Signed-off-by: David Herrmann --- security/selinux/hooks.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4cafe6a19167..02ebd1585eaf 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4569,6 +4569,18 @@ static int selinux_socket_post_create(struct socket *sock, int family, return err; } +static int selinux_socket_socketpair(struct socket *socka, + struct socket *sockb) +{ + struct sk_security_struct *sksec_a = socka->sk->sk_security; + struct sk_security_struct *sksec_b = sockb->sk->sk_security; + + sksec_a->peer_sid = sksec_b->sid; + sksec_b->peer_sid = sksec_a->sid; + + return 0; +} + /* Range of port numbers used to automatically bind. Need to determine whether we should perform a name_bind permission check between the socket and the port number. */ @@ -6999,6 +7011,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(socket_create, selinux_socket_create), LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), + LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), LSM_HOOK_INIT(socket_bind, selinux_socket_bind), LSM_HOOK_INIT(socket_connect, selinux_socket_connect), LSM_HOOK_INIT(socket_listen, selinux_socket_listen), From patchwork Fri May 4 14:28:22 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Herrmann X-Patchwork-Id: 908786 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="nLs8CQ4W"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40cvZJ4v34z9s1d for ; Sat, 5 May 2018 00:30:48 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751871AbeEDOa1 (ORCPT ); Fri, 4 May 2018 10:30:27 -0400 Received: from mail-wm0-f66.google.com ([74.125.82.66]:36070 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751729AbeEDO3q (ORCPT ); Fri, 4 May 2018 10:29:46 -0400 Received: by mail-wm0-f66.google.com with SMTP id n10-v6so5182494wmc.1; Fri, 04 May 2018 07:29:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=FvCx9g1K3KZMxfEwjrxWWIBIQFACTn6xEqYDgS0oPtQ=; b=nLs8CQ4Wr4gcb5htjKgqt52dGGBWI0fOgmh5UBztGJJL+OM9i2yyzqXtFPNlrbCVea r8UoNy9FMjAdFtwg03xa6Mp4dhGkT9bGPBK1DXTkoyKxvz87x2YLraGnNSuFW2iG4nvY xjSAvRlQLPgdRszIs1n3Lz4OYfVTH36jZ/LqvC0cVpaa/n+LMBuayiYWXFM/Rk+W9MUH 2zsMTCsJs0aNQegMvU0aSRW3e3x63o12wBnnz5r2N9b89bNLBZ0+kdf7VW5DWqEHdO2x y2ng8lqBO+V9WPK6HcX93RogIMgZzjtcH8HRMCOkQduAQQkUGeF/f7CgivoLej2+jQ8+ fsMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=FvCx9g1K3KZMxfEwjrxWWIBIQFACTn6xEqYDgS0oPtQ=; b=iIiTIgyqvWc+dDKIOjVS8fQn02KtTr8YQchddKBeo2b2J/+t1FAAzeWGXGoBLxhuPC pfD1Io/DKUajvczJ0SJX86OOAudQeB1jO2lWoURovpEVf7hYJZ+iDqKH82l65YiTVe77 ythnAVoqRDGDNsrshR/nf8nBywUfxOpLqE3DDifM2vbRov7OM7G+2h8TExu/7CQrPh1f 3BLzpZpVVLlat1PCA+X+kWA9TDJ7957X1ahYzF73DIs0g5kD0LCS53GbZVE0dnP73wJ0 b3nBS8FXLwUICIuXkvw78Fbt4n6XJtj14PV5mSQJVCyICrQ4AKFazMwwBgXV+0TrHigH m9/A== X-Gm-Message-State: ALQs6tD6P9A23xRQcqv7YoaWTuWnHEhJLP/AgRzFw9AQrcME+AW1sOvp deIWotAbDLhCD1yxUVsjMa6rEw== X-Google-Smtp-Source: AB8JxZq1na/Yc3T3uFWgnH7dr1nEg1IfALGWGQIt9Ac4fCeFsVbDgzzmLsuPKLJbZYoSJiUiI4gANg== X-Received: by 10.28.168.77 with SMTP id r74mr18971396wme.114.1525444184590; Fri, 04 May 2018 07:29:44 -0700 (PDT) Received: from david-x1.fritz.box (p200300C2A3D634001758913C97055056.dip0.t-ipconnect.de. [2003:c2:a3d6:3400:1758:913c:9705:5056]) by smtp.gmail.com with ESMTPSA id h8-v6sm1474907wmc.16.2018.05.04.07.29.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 May 2018 07:29:44 -0700 (PDT) From: David Herrmann To: linux-kernel@vger.kernel.org Cc: James Morris , Paul Moore , teg@jklm.no, Stephen Smalley , selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org, Eric Paris , serge@hallyn.com, Casey Schaufler , davem@davemloft.net, netdev@vger.kernel.org, David Herrmann Subject: [PATCH v2 4/4] smack: provide socketpair callback Date: Fri, 4 May 2018 16:28:22 +0200 Message-Id: <20180504142822.15233-5-dh.herrmann@gmail.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180504142822.15233-1-dh.herrmann@gmail.com> References: <20180504142822.15233-1-dh.herrmann@gmail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Tom Gundersen Make sure to implement the new socketpair callback so the SO_PEERSEC call on socketpair(2)s will return correct information. Signed-off-by: Tom Gundersen Signed-off-by: David Herrmann Acked-by: Casey Schaufler --- security/smack/smack_lsm.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 0b414836bebd..dcb976f98df2 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2842,6 +2842,27 @@ static int smack_socket_post_create(struct socket *sock, int family, return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); } +/** + * smack_socket_socketpair - create socket pair + * @socka: one socket + * @sockb: another socket + * + * Cross reference the peer labels for SO_PEERSEC + * + * Returns 0 on success, and error code otherwise + */ +static int smack_socket_socketpair(struct socket *socka, + struct socket *sockb) +{ + struct socket_smack *asp = socka->sk->sk_security; + struct socket_smack *bsp = sockb->sk->sk_security; + + asp->smk_packet = bsp->smk_out; + bsp->smk_packet = asp->smk_out; + + return 0; +} + #ifdef SMACK_IPV6_PORT_LABELING /** * smack_socket_bind - record port binding information. @@ -4724,6 +4745,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), + LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), #ifdef SMACK_IPV6_PORT_LABELING LSM_HOOK_INIT(socket_bind, smack_socket_bind), #endif