netlabel: add address family checks to netlbl_{sock, req}_delattr()
diff mbox

Message ID 146524175890.8042.12012703565205416569.stgit@localhost
State New
Headers show

Commit Message

Paul Moore June 6, 2016, 7:35 p.m. UTC
From: Paul Moore <paul@paul-moore.com>

It seems risky to always rely on the caller to ensure the socket's
address family is correct before passing it to the NetLabel kAPI,
especially since we see at least one LSM which didn't. Add address
family checks to the *_delattr() functions to help prevent future
problems.

Cc: <stable@vger.kernel.org>
Reported-by: Maninder Singh <maninder1.s@samsung.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 net/netlabel/netlabel_kapi.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)


--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Paul Moore June 6, 2016, 7:37 p.m. UTC | #1
On Mon, Jun 6, 2016 at 3:35 PM, Paul Moore <pmoore@redhat.com> wrote:
> From: Paul Moore <paul@paul-moore.com>
>
> It seems risky to always rely on the caller to ensure the socket's
> address family is correct before passing it to the NetLabel kAPI,
> especially since we see at least one LSM which didn't. Add address
> family checks to the *_delattr() functions to help prevent future
> problems.
>
> Cc: <stable@vger.kernel.org>
> Reported-by: Maninder Singh <maninder1.s@samsung.com>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  net/netlabel/netlabel_kapi.c |   12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)

DaveM, since this is such a trivial fix I'm adding it into my
selinux#next branch right now, but if you would prefer to carry it via
netdev#next let me know.

> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> index 1325776..bd007a9 100644
> --- a/net/netlabel/netlabel_kapi.c
> +++ b/net/netlabel/netlabel_kapi.c
> @@ -824,7 +824,11 @@ socket_setattr_return:
>   */
>  void netlbl_sock_delattr(struct sock *sk)
>  {
> -       cipso_v4_sock_delattr(sk);
> +       switch (sk->sk_family) {
> +       case AF_INET:
> +               cipso_v4_sock_delattr(sk);
> +               break;
> +       }
>  }
>
>  /**
> @@ -987,7 +991,11 @@ req_setattr_return:
>  */
>  void netlbl_req_delattr(struct request_sock *req)
>  {
> -       cipso_v4_req_delattr(req);
> +       switch (req->rsk_ops->family) {
> +       case AF_INET:
> +               cipso_v4_req_delattr(req);
> +               break;
> +       }
>  }
>
>  /**
>
David Miller June 6, 2016, 9:06 p.m. UTC | #2
From: Paul Moore <pmoore@redhat.com>
Date: Mon, 6 Jun 2016 15:37:56 -0400

> On Mon, Jun 6, 2016 at 3:35 PM, Paul Moore <pmoore@redhat.com> wrote:
>> From: Paul Moore <paul@paul-moore.com>
>>
>> It seems risky to always rely on the caller to ensure the socket's
>> address family is correct before passing it to the NetLabel kAPI,
>> especially since we see at least one LSM which didn't. Add address
>> family checks to the *_delattr() functions to help prevent future
>> problems.
>>
>> Cc: <stable@vger.kernel.org>
>> Reported-by: Maninder Singh <maninder1.s@samsung.com>
>> Signed-off-by: Paul Moore <paul@paul-moore.com>
>> ---
>>  net/netlabel/netlabel_kapi.c |   12 ++++++++++--
>>  1 file changed, 10 insertions(+), 2 deletions(-)
> 
> DaveM, since this is such a trivial fix I'm adding it into my
> selinux#next branch right now, but if you would prefer to carry it via
> netdev#next let me know.

That's fine.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch
diff mbox

diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 1325776..bd007a9 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -824,7 +824,11 @@  socket_setattr_return:
  */
 void netlbl_sock_delattr(struct sock *sk)
 {
-	cipso_v4_sock_delattr(sk);
+	switch (sk->sk_family) {
+	case AF_INET:
+		cipso_v4_sock_delattr(sk);
+		break;
+	}
 }
 
 /**
@@ -987,7 +991,11 @@  req_setattr_return:
 */
 void netlbl_req_delattr(struct request_sock *req)
 {
-	cipso_v4_req_delattr(req);
+	switch (req->rsk_ops->family) {
+	case AF_INET:
+		cipso_v4_req_delattr(req);
+		break;
+	}
 }
 
 /**