Commit 32a370ab authored by Paul Moore's avatar Paul Moore

net,lsm,selinux: revert the security_sctp_assoc_established() hook

This patch reverts two prior patches, e7310c94
("security: implement sctp_assoc_established hook in selinux") and
7c2ef024 ("security: add sctp_assoc_established hook"), which
create the security_sctp_assoc_established() LSM hook and provide a
SELinux implementation.  Unfortunately these two patches were merged
without proper review (the Reviewed-by and Tested-by tags from
Richard Haines were for previous revisions of these patches that
were significantly different) and there are outstanding objections
from the SELinux maintainers regarding these patches.

Work is currently ongoing to correct the problems identified in the
reverted patches, as well as others that have come up during review,
but it is unclear at this point in time when that work will be ready
for inclusion in the mainline kernel.  In the interest of not keeping
objectionable code in the kernel for multiple weeks, and potentially
a kernel release, we are reverting the two problematic patches.
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 5833291a
...@@ -15,7 +15,10 @@ For security module support, three SCTP specific hooks have been implemented:: ...@@ -15,7 +15,10 @@ For security module support, three SCTP specific hooks have been implemented::
security_sctp_assoc_request() security_sctp_assoc_request()
security_sctp_bind_connect() security_sctp_bind_connect()
security_sctp_sk_clone() security_sctp_sk_clone()
security_sctp_assoc_established()
Also the following security hook has been utilised::
security_inet_conn_established()
The usage of these hooks are described below with the SELinux implementation The usage of these hooks are described below with the SELinux implementation
described in the `SCTP SELinux Support`_ chapter. described in the `SCTP SELinux Support`_ chapter.
...@@ -119,12 +122,11 @@ calls **sctp_peeloff**\(3). ...@@ -119,12 +122,11 @@ calls **sctp_peeloff**\(3).
@newsk - pointer to new sock structure. @newsk - pointer to new sock structure.
security_sctp_assoc_established() security_inet_conn_established()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Called when a COOKIE ACK is received, and the peer secid will be Called when a COOKIE ACK is received::
saved into ``@asoc->peer_secid`` for client::
@asoc - pointer to sctp association structure. @sk - pointer to sock structure.
@skb - pointer to skbuff of the COOKIE ACK packet. @skb - pointer to skbuff of the COOKIE ACK packet.
...@@ -132,7 +134,7 @@ Security Hooks used for Association Establishment ...@@ -132,7 +134,7 @@ Security Hooks used for Association Establishment
------------------------------------------------- -------------------------------------------------
The following diagram shows the use of ``security_sctp_bind_connect()``, The following diagram shows the use of ``security_sctp_bind_connect()``,
``security_sctp_assoc_request()``, ``security_sctp_assoc_established()`` when ``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
establishing an association. establishing an association.
:: ::
...@@ -170,7 +172,7 @@ establishing an association. ...@@ -170,7 +172,7 @@ establishing an association.
<------------------------------------------- COOKIE ACK <------------------------------------------- COOKIE ACK
| | | |
sctp_sf_do_5_1E_ca | sctp_sf_do_5_1E_ca |
Call security_sctp_assoc_established() | Call security_inet_conn_established() |
to set the peer label. | to set the peer label. |
| | | |
| If SCTP_SOCKET_TCP or peeled off | If SCTP_SOCKET_TCP or peeled off
...@@ -196,7 +198,7 @@ hooks with the SELinux specifics expanded below:: ...@@ -196,7 +198,7 @@ hooks with the SELinux specifics expanded below::
security_sctp_assoc_request() security_sctp_assoc_request()
security_sctp_bind_connect() security_sctp_bind_connect()
security_sctp_sk_clone() security_sctp_sk_clone()
security_sctp_assoc_established() security_inet_conn_established()
security_sctp_assoc_request() security_sctp_assoc_request()
...@@ -269,12 +271,12 @@ sockets sid and peer sid to that contained in the ``@asoc sid`` and ...@@ -269,12 +271,12 @@ sockets sid and peer sid to that contained in the ``@asoc sid`` and
@newsk - pointer to new sock structure. @newsk - pointer to new sock structure.
security_sctp_assoc_established() security_inet_conn_established()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Called when a COOKIE ACK is received where it sets the connection's peer sid Called when a COOKIE ACK is received where it sets the connection's peer sid
to that in ``@skb``:: to that in ``@skb``::
@asoc - pointer to sctp association structure. @sk - pointer to sock structure.
@skb - pointer to skbuff of the COOKIE ACK packet. @skb - pointer to skbuff of the COOKIE ACK packet.
......
...@@ -335,8 +335,6 @@ LSM_HOOK(int, 0, sctp_bind_connect, struct sock *sk, int optname, ...@@ -335,8 +335,6 @@ LSM_HOOK(int, 0, sctp_bind_connect, struct sock *sk, int optname,
struct sockaddr *address, int addrlen) struct sockaddr *address, int addrlen)
LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_association *asoc, LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_association *asoc,
struct sock *sk, struct sock *newsk) struct sock *sk, struct sock *newsk)
LSM_HOOK(void, LSM_RET_VOID, sctp_assoc_established, struct sctp_association *asoc,
struct sk_buff *skb)
#endif /* CONFIG_SECURITY_NETWORK */ #endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_INFINIBAND #ifdef CONFIG_SECURITY_INFINIBAND
......
...@@ -1050,11 +1050,6 @@ ...@@ -1050,11 +1050,6 @@
* @asoc pointer to current sctp association structure. * @asoc pointer to current sctp association structure.
* @sk pointer to current sock structure. * @sk pointer to current sock structure.
* @newsk pointer to new sock structure. * @newsk pointer to new sock structure.
* @sctp_assoc_established:
* Passes the @asoc and @chunk->skb of the association COOKIE_ACK packet
* to the security module.
* @asoc pointer to sctp association structure.
* @skb pointer to skbuff of association packet.
* *
* Security hooks for Infiniband * Security hooks for Infiniband
* *
......
...@@ -1430,8 +1430,6 @@ int security_sctp_bind_connect(struct sock *sk, int optname, ...@@ -1430,8 +1430,6 @@ int security_sctp_bind_connect(struct sock *sk, int optname,
struct sockaddr *address, int addrlen); struct sockaddr *address, int addrlen);
void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
struct sock *newsk); struct sock *newsk);
void security_sctp_assoc_established(struct sctp_association *asoc,
struct sk_buff *skb);
#else /* CONFIG_SECURITY_NETWORK */ #else /* CONFIG_SECURITY_NETWORK */
static inline int security_unix_stream_connect(struct sock *sock, static inline int security_unix_stream_connect(struct sock *sock,
...@@ -1651,11 +1649,6 @@ static inline void security_sctp_sk_clone(struct sctp_association *asoc, ...@@ -1651,11 +1649,6 @@ static inline void security_sctp_sk_clone(struct sctp_association *asoc,
struct sock *newsk) struct sock *newsk)
{ {
} }
static inline void security_sctp_assoc_established(struct sctp_association *asoc,
struct sk_buff *skb)
{
}
#endif /* CONFIG_SECURITY_NETWORK */ #endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_INFINIBAND #ifdef CONFIG_SECURITY_INFINIBAND
......
...@@ -946,7 +946,7 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, ...@@ -946,7 +946,7 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
/* Set peer label for connection. */ /* Set peer label for connection. */
security_sctp_assoc_established((struct sctp_association *)asoc, chunk->skb); security_inet_conn_established(ep->base.sk, chunk->skb);
/* RFC 2960 5.1 Normal Establishment of an Association /* RFC 2960 5.1 Normal Establishment of an Association
* *
......
...@@ -2388,13 +2388,6 @@ void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, ...@@ -2388,13 +2388,6 @@ void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
} }
EXPORT_SYMBOL(security_sctp_sk_clone); EXPORT_SYMBOL(security_sctp_sk_clone);
void security_sctp_assoc_established(struct sctp_association *asoc,
struct sk_buff *skb)
{
call_void_hook(sctp_assoc_established, asoc, skb);
}
EXPORT_SYMBOL(security_sctp_assoc_established);
#endif /* CONFIG_SECURITY_NETWORK */ #endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_INFINIBAND #ifdef CONFIG_SECURITY_INFINIBAND
......
...@@ -5502,8 +5502,7 @@ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk ...@@ -5502,8 +5502,7 @@ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk
if (!selinux_policycap_extsockclass()) if (!selinux_policycap_extsockclass())
return selinux_sk_clone_security(sk, newsk); return selinux_sk_clone_security(sk, newsk);
if (asoc->secid != SECSID_WILD) newsksec->sid = asoc->secid;
newsksec->sid = asoc->secid;
newsksec->peer_sid = asoc->peer_secid; newsksec->peer_sid = asoc->peer_secid;
newsksec->sclass = sksec->sclass; newsksec->sclass = sksec->sclass;
selinux_netlbl_sctp_sk_clone(sk, newsk); selinux_netlbl_sctp_sk_clone(sk, newsk);
...@@ -5559,16 +5558,6 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) ...@@ -5559,16 +5558,6 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
} }
static void selinux_sctp_assoc_established(struct sctp_association *asoc,
struct sk_buff *skb)
{
struct sk_security_struct *sksec = asoc->base.sk->sk_security;
selinux_inet_conn_established(asoc->base.sk, skb);
asoc->peer_secid = sksec->peer_sid;
asoc->secid = SECSID_WILD;
}
static int selinux_secmark_relabel_packet(u32 sid) static int selinux_secmark_relabel_packet(u32 sid)
{ {
const struct task_security_struct *__tsec; const struct task_security_struct *__tsec;
...@@ -7239,7 +7228,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { ...@@ -7239,7 +7228,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment