security: add sctp_assoc_established hook
security_sctp_assoc_established() is added to replace
security_inet_conn_established() called in
sctp_sf_do_5_1E_ca(), so that asoc can be accessed in security
subsystem and save the peer secid to asoc->peer_secid.
Fixes: 72e89f5008
("security: Add support for SCTP security hooks")
Reported-by: Prashanth Prahlad <pprahlad@redhat.com>
Based-on-patch-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Tested-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Родитель
70f4169ab4
Коммит
5e50f5d4ff
|
@ -15,10 +15,7 @@ For security module support, three SCTP specific hooks have been implemented::
|
|||
security_sctp_assoc_request()
|
||||
security_sctp_bind_connect()
|
||||
security_sctp_sk_clone()
|
||||
|
||||
Also the following security hook has been utilised::
|
||||
|
||||
security_inet_conn_established()
|
||||
security_sctp_assoc_established()
|
||||
|
||||
The usage of these hooks are described below with the SELinux implementation
|
||||
described in the `SCTP SELinux Support`_ chapter.
|
||||
|
@ -122,11 +119,12 @@ calls **sctp_peeloff**\(3).
|
|||
@newsk - pointer to new sock structure.
|
||||
|
||||
|
||||
security_inet_conn_established()
|
||||
security_sctp_assoc_established()
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
Called when a COOKIE ACK is received::
|
||||
Called when a COOKIE ACK is received, and the peer secid will be
|
||||
saved into ``@asoc->peer_secid`` for client::
|
||||
|
||||
@sk - pointer to sock structure.
|
||||
@asoc - pointer to sctp association structure.
|
||||
@skb - pointer to skbuff of the COOKIE ACK packet.
|
||||
|
||||
|
||||
|
@ -134,7 +132,7 @@ Security Hooks used for Association Establishment
|
|||
-------------------------------------------------
|
||||
|
||||
The following diagram shows the use of ``security_sctp_bind_connect()``,
|
||||
``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
|
||||
``security_sctp_assoc_request()``, ``security_sctp_assoc_established()`` when
|
||||
establishing an association.
|
||||
::
|
||||
|
||||
|
@ -172,7 +170,7 @@ establishing an association.
|
|||
<------------------------------------------- COOKIE ACK
|
||||
| |
|
||||
sctp_sf_do_5_1E_ca |
|
||||
Call security_inet_conn_established() |
|
||||
Call security_sctp_assoc_established() |
|
||||
to set the peer label. |
|
||||
| |
|
||||
| If SCTP_SOCKET_TCP or peeled off
|
||||
|
@ -198,7 +196,7 @@ hooks with the SELinux specifics expanded below::
|
|||
security_sctp_assoc_request()
|
||||
security_sctp_bind_connect()
|
||||
security_sctp_sk_clone()
|
||||
security_inet_conn_established()
|
||||
security_sctp_assoc_established()
|
||||
|
||||
|
||||
security_sctp_assoc_request()
|
||||
|
@ -271,12 +269,12 @@ sockets sid and peer sid to that contained in the ``@asoc sid`` and
|
|||
@newsk - pointer to new sock structure.
|
||||
|
||||
|
||||
security_inet_conn_established()
|
||||
security_sctp_assoc_established()
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
Called when a COOKIE ACK is received where it sets the connection's peer sid
|
||||
to that in ``@skb``::
|
||||
|
||||
@sk - pointer to sock structure.
|
||||
@asoc - pointer to sctp association structure.
|
||||
@skb - pointer to skbuff of the COOKIE ACK packet.
|
||||
|
||||
|
||||
|
|
|
@ -332,6 +332,8 @@ LSM_HOOK(int, 0, sctp_bind_connect, struct sock *sk, int optname,
|
|||
struct sockaddr *address, int addrlen)
|
||||
LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_association *asoc,
|
||||
struct sock *sk, struct sock *newsk)
|
||||
LSM_HOOK(int, 0, sctp_assoc_established, struct sctp_association *asoc,
|
||||
struct sk_buff *skb)
|
||||
#endif /* CONFIG_SECURITY_NETWORK */
|
||||
|
||||
#ifdef CONFIG_SECURITY_INFINIBAND
|
||||
|
|
|
@ -1046,6 +1046,11 @@
|
|||
* @asoc pointer to current sctp association structure.
|
||||
* @sk pointer to current sock structure.
|
||||
* @newsk pointer to new sock structure.
|
||||
* @sctp_assoc_established:
|
||||
* Passes the @asoc and @chunk->skb of the association COOKIE_ACK packet
|
||||
* to the security module.
|
||||
* @asoc pointer to sctp association structure.
|
||||
* @skb pointer to skbuff of association packet.
|
||||
*
|
||||
* Security hooks for Infiniband
|
||||
*
|
||||
|
|
|
@ -1422,6 +1422,8 @@ int security_sctp_bind_connect(struct sock *sk, int optname,
|
|||
struct sockaddr *address, int addrlen);
|
||||
void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
|
||||
struct sock *newsk);
|
||||
int security_sctp_assoc_established(struct sctp_association *asoc,
|
||||
struct sk_buff *skb);
|
||||
|
||||
#else /* CONFIG_SECURITY_NETWORK */
|
||||
static inline int security_unix_stream_connect(struct sock *sock,
|
||||
|
@ -1641,6 +1643,12 @@ static inline void security_sctp_sk_clone(struct sctp_association *asoc,
|
|||
struct sock *newsk)
|
||||
{
|
||||
}
|
||||
|
||||
static inline int security_sctp_assoc_established(struct sctp_association *asoc,
|
||||
struct sk_buff *skb)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
#endif /* CONFIG_SECURITY_NETWORK */
|
||||
|
||||
#ifdef CONFIG_SECURITY_INFINIBAND
|
||||
|
|
|
@ -930,6 +930,11 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
|
|||
if (!sctp_vtag_verify(chunk, asoc))
|
||||
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
|
||||
|
||||
/* Set peer label for connection. */
|
||||
if (security_sctp_assoc_established((struct sctp_association *)asoc,
|
||||
chunk->skb))
|
||||
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
|
||||
|
||||
/* Verify that the chunk length for the COOKIE-ACK is OK.
|
||||
* If we don't do this, any bundled chunks may be junked.
|
||||
*/
|
||||
|
@ -945,9 +950,6 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
|
|||
*/
|
||||
sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
|
||||
|
||||
/* Set peer label for connection. */
|
||||
security_inet_conn_established(ep->base.sk, chunk->skb);
|
||||
|
||||
/* RFC 2960 5.1 Normal Establishment of an Association
|
||||
*
|
||||
* E) Upon reception of the COOKIE ACK, endpoint "A" will move
|
||||
|
|
|
@ -2393,6 +2393,13 @@ void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
|
|||
}
|
||||
EXPORT_SYMBOL(security_sctp_sk_clone);
|
||||
|
||||
int security_sctp_assoc_established(struct sctp_association *asoc,
|
||||
struct sk_buff *skb)
|
||||
{
|
||||
return call_int_hook(sctp_assoc_established, 0, asoc, skb);
|
||||
}
|
||||
EXPORT_SYMBOL(security_sctp_assoc_established);
|
||||
|
||||
#endif /* CONFIG_SECURITY_NETWORK */
|
||||
|
||||
#ifdef CONFIG_SECURITY_INFINIBAND
|
||||
|
|
Загрузка…
Ссылка в новой задаче