[mptcp-net] mptcp: fix security context on server socket

Message ID	3a0d657c067957c1dc18310c63179fade8f9a563.1607704071.git.pabeni@redhat.com
State	Accepted, archived
Commit	43befa4d4bfd0ff5ab1b36aee50c1492c4d717b9
Delegated to:	Matthieu Baerts
Headers	show Return-Path: <mptcp-bounces@lists.01.org> Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=216.205.24.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=pabeni@redhat.com; receiver=<UNKNOWN> From: Paolo Abeni <pabeni@redhat.com> To: mptcp@lists.01.org Date: Fri, 11 Dec 2020 17:28:10 +0100 Message-Id: <3a0d657c067957c1dc18310c63179fade8f9a563.1607704071.git.pabeni@redhat.com> MIME-Version: 1.0 Message-ID-Hash: 34Z6RYUYJB2T2ODZBF4SFYUCQA7EOXGJ Precedence: list Subject: [MPTCP] [mptcp-net PATCH] mptcp: fix security context on server socket Archived-At: <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/message/34Z6RYUYJB2T2ODZBF4SFYUCQA7EOXGJ/> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
Series	[mptcp-net] mptcp: fix security context on server socket \| expand [mptcp-net] mptcp: fix security context on server socket

Message ID

3a0d657c067957c1dc18310c63179fade8f9a563.1607704071.git.pabeni@redhat.com

State

Accepted, archived

Commit

43befa4d4bfd0ff5ab1b36aee50c1492c4d717b9

Delegated to:

Matthieu Baerts

Headers

show

Return-Path: <mptcp-bounces@lists.01.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.01.org
 (client-ip=2001:19d0:306:5::1; helo=ml01.01.org;
 envelope-from=mptcp-bounces@lists.01.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=redhat.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=FwQWtDQW;
	dkim-atps=neutral
Received: from ml01.01.org (ml01.01.org [IPv6:2001:19d0:306:5::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4Csx6h6y6vz9sSn
	for <incoming@patchwork.ozlabs.org>; Sat, 12 Dec 2020 03:28:28 +1100 (AEDT)
Received: from ml01.vlan13.01.org (localhost [IPv6:::1])
	by ml01.01.org (Postfix) with ESMTP id 8E597100EBBA7;
	Fri, 11 Dec 2020 08:28:24 -0800 (PST)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=216.205.24.124;
 helo=us-smtp-delivery-124.mimecast.com; envelope-from=pabeni@redhat.com;
 receiver=<UNKNOWN> 
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by ml01.01.org (Postfix) with ESMTPS id C4338100EC1E6
	for <mptcp@lists.01.org>; Fri, 11 Dec 2020 08:28:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1607704101;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=hwikaJujoStgg9qyZzgM9naKdJZ6LprFviOTwXkBX68=;
	b=FwQWtDQWiUGAqhP0eTF0IKQ1KdwENnLcvdfqwL/n0hvLlxCEKUhvlsUxCByDOQRPP2dL0y
	NMvzBjf0+RAMiVWwxiVTHRTzVoubXBlx5c/rVfPb+9JQW+L6UVnlrWTSmLeev1wZBMt+Z2
	LX7thAfKqkPFAStAo32a7dG+3xEelRM=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-173-swB_FwFyP9uAVGqbaI-axA-1; Fri, 11 Dec 2020 11:28:18 -0500
X-MC-Unique: swB_FwFyP9uAVGqbaI-axA-1
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 60E8B9CC09
	for <mptcp@lists.01.org>; Fri, 11 Dec 2020 16:28:17 +0000 (UTC)
Received: from gerbillo.redhat.com (ovpn-113-126.ams2.redhat.com
 [10.36.113.126])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 9713360BD9
	for <mptcp@lists.01.org>; Fri, 11 Dec 2020 16:28:16 +0000 (UTC)
From: Paolo Abeni <pabeni@redhat.com>
To: mptcp@lists.01.org
Date: Fri, 11 Dec 2020 17:28:10 +0100
Message-Id: 
 <3a0d657c067957c1dc18310c63179fade8f9a563.1607704071.git.pabeni@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=pabeni@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Message-ID-Hash: 34Z6RYUYJB2T2ODZBF4SFYUCQA7EOXGJ
X-Message-ID-Hash: 34Z6RYUYJB2T2ODZBF4SFYUCQA7EOXGJ
X-MailFrom: pabeni@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.1.1
Precedence: list
Subject: [MPTCP] [mptcp-net PATCH] mptcp: fix security context on server
 socket
List-Id: Discussions regarding MPTCP upstreaming <mptcp.lists.01.org>
Archived-At: 
 <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/message/34Z6RYUYJB2T2ODZBF4SFYUCQA7EOXGJ/>
List-Archive: <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/>
List-Help: <mailto:mptcp-request@lists.01.org?subject=help>
List-Post: <mailto:mptcp@lists.01.org>
List-Subscribe: <mailto:mptcp-join@lists.01.org>
List-Unsubscribe: <mailto:mptcp-leave@lists.01.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Series

[mptcp-net] mptcp: fix security context on server socket | expand

Commit Message

Paolo Abeni Dec. 11, 2020, 4:28 p.m. UTC

Currently MPTCP is not propagating the security context
from the ingress request socket to newly created msk
at clone time.

Address the issue invoking the missing security helper.

Fixes: cf7da0d66cc1 ("mptcp: Create SUBFLOW socket for incoming connections")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
 net/mptcp/protocol.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Matthieu Baerts Dec. 15, 2020, 11:44 a.m. UTC | #1

Hi Paolo,

On 11/12/2020 17:28, Paolo Abeni wrote:
> Currently MPTCP is not propagating the security context
> from the ingress request socket to newly created msk
> at clone time.
> 
> Address the issue invoking the missing security helper.

Thank you for this fix! Now in our tree!

- 43befa4d4bfd: mptcp: fix security context on server socket
- Results: d73b2c933a85..e1e3f281c849

Tests + export are going to be started soon!

Cheers,
Matt

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 88f2a7a0ccb8..967ce9ccfc0d 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2081,6 +2081,8 @@  struct sock *mptcp_sk_clone(const struct sock *sk,
 	sock_reset_flag(nsk, SOCK_RCU_FREE);
 	/* will be fully established after successful MPC subflow creation */
 	inet_sk_state_store(nsk, TCP_SYN_RECV);
+
+	security_inet_csk_clone(nsk, req);
 	bh_unlock_sock(nsk);
 
 	/* keep a single reference */

[mptcp-net] mptcp: fix security context on server socket

Commit Message

Comments

Patch