| Message ID | d6f04d238c8a797899d6cb543a43f75e544221af.1671054577.git.pabeni@redhat.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | lsm: introduce and use security_mptcp_add_subflow() | expand |
Hi Paolo,
I love your patch! Yet something to improve:
[auto build test ERROR on linus/master]
[also build test ERROR on v6.1 next-20221214]
[cannot apply to pcmoore-selinux/next pcmoore-audit/next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Paolo-Abeni/lsm-introduce-and-use-security_mptcp_add_subflow/20221215-060410
patch link: https://lore.kernel.org/r/d6f04d238c8a797899d6cb543a43f75e544221af.1671054577.git.pabeni%40redhat.com
patch subject: [PATCH 2/2] selinux: Implement mptcp_add_subflow hook
config: s390-defconfig
compiler: s390-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/b7b7443e4d94a98247ba4ce5a0df1e6417f8d147
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Paolo-Abeni/lsm-introduce-and-use-security_mptcp_add_subflow/20221215-060410
git checkout b7b7443e4d94a98247ba4ce5a0df1e6417f8d147
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=s390 SHELL=/bin/bash
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
security/selinux/hooks.c: In function 'selinux_mptcp_add_subflow':
>> security/selinux/hooks.c:5501:19: error: 'struct sk_security_struct' has no member named 'nlbl_secattr'
5501 | if (ssksec->nlbl_secattr != NULL) {
| ^~
security/selinux/hooks.c:5502:43: error: 'struct sk_security_struct' has no member named 'nlbl_secattr'
5502 | netlbl_secattr_free(ssksec->nlbl_secattr);
| ^~
security/selinux/hooks.c:5503:23: error: 'struct sk_security_struct' has no member named 'nlbl_secattr'
5503 | ssksec->nlbl_secattr = NULL;
| ^~
vim +5501 security/selinux/hooks.c
5478
5479 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5480 {
5481 const struct task_security_struct *tsec = selinux_cred(current_cred());
5482 struct sk_security_struct *ssksec = ssk->sk_security;
5483 u16 sclass;
5484 u32 sid;
5485 int err;
5486
5487 /* create the sid using the current cred, regardless of the ssk kern
5488 * flag
5489 */
5490 sclass = socket_type_to_security_class(ssk->sk_family, ssk->sk_type,
5491 ssk->sk_protocol);
5492 err = socket_sockcreate_sid(tsec, sclass, &sid);
5493 if (err)
5494 return err;
5495
5496 ssksec->sid = sid;
5497
5498 /* replace the existing subflow label with the new one
5499 * inherited from the mptcp socket
5500 */
> 5501 if (ssksec->nlbl_secattr != NULL) {
5502 netlbl_secattr_free(ssksec->nlbl_secattr);
5503 ssksec->nlbl_secattr = NULL;
5504 }
5505 return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
5506 }
5507
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3c5be76a9199..cbb4c711c502 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5476,6 +5476,35 @@ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk selinux_netlbl_sctp_sk_clone(sk, newsk); } +static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) +{ + const struct task_security_struct *tsec = selinux_cred(current_cred()); + struct sk_security_struct *ssksec = ssk->sk_security; + u16 sclass; + u32 sid; + int err; + + /* create the sid using the current cred, regardless of the ssk kern + * flag + */ + sclass = socket_type_to_security_class(ssk->sk_family, ssk->sk_type, + ssk->sk_protocol); + err = socket_sockcreate_sid(tsec, sclass, &sid); + if (err) + return err; + + ssksec->sid = sid; + + /* replace the existing subflow label with the new one + * inherited from the mptcp socket + */ + if (ssksec->nlbl_secattr != NULL) { + netlbl_secattr_free(ssksec->nlbl_secattr); + ssksec->nlbl_secattr = NULL; + } + return selinux_netlbl_socket_post_create(ssk, ssk->sk_family); +} + static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, struct request_sock *req) { @@ -7216,6 +7245,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established), + LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow), LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
Newly added subflows should inherit the associated label from the current process context, regarless of the sk_kern_sock flag value. This patch implements the above resetting the subflow sid, deleting the existing subflow label, if any, and then re-creating a new one. Signed-off-by: Paolo Abeni <pabeni@redhat.com> --- security/selinux/hooks.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)