From patchwork Mon Jun  6 19:35:58 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Moore <pmoore@redhat.com>
X-Patchwork-Id: 9159067
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	2107360759 for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  6 Jun 2016 19:36:52 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0F65728355
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  6 Jun 2016 19:36:52 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 01D2F2835C; Mon,  6 Jun 2016 19:36:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00 autolearn=ham
	version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 7769D2656B
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  6 Jun 2016 19:36:51 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.26,428,1459814400"; d="scan'208";a="16687295"
IronPort-PHdr: =?us-ascii?q?9a23=3AoqNruB8TcqlwcP9uRHKM819IXTAuvvDOBiVQ1KB9?=
	=?us-ascii?q?2ugcTK2v8tzYMVDF4r011RmSDdSdtaMP0rGI+4nbGkU+or+5+EgYd5JNUxJXwe?=
	=?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6anHS+4HYoFwnlMkIt?=
	=?us-ascii?q?f6KuSt+U0ZX8jrvss7ToICx2xxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?=
	=?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cYhuglv/Jkfe26Ov1gDO8QMDNzNW0p6MD1nQfM?=
	=?us-ascii?q?QBHJ5XYGVGgS1B1SDEyN6BD8Q4e0qSbxq/B8xDjfOMr6ULQ5cSqt4r0tSxLyji?=
	=?us-ascii?q?oDcTkj/zL5kMt12ZpSvRbpght42YOcNJmQM/1kc4vHcN8aTHYHVcFUAX8SSrig?=
	=?us-ascii?q?ZpcCWrJSdd1TqJPw8h5X9RY=3D?=
X-IPAS-Result: =?us-ascii?q?A2HHAwDJz1VX/wHyM5BbGgEBAQGDHYFTiiuyICKFdgOBOUw?=
	=?us-ascii?q?BAQEBAQECAmIngjCCHQIkExQgCwMDCQIXCCEICAMBLRUYBwsFGASIDrpbCwEBA?=
	=?us-ascii?q?QEihieBf4ZgEQGFdgEEhkIJkX2XaBeFQwJFjxVUggccgWdSiGSBNQEBAQ?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	06 Jun 2016 19:36:48 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u56Ja4wf029728;
	Mon, 6 Jun 2016 15:36:15 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u56Ja2Uu129527 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 6 Jun 2016 15:36:02 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u56Ja1fh029715
	for <selinux@tycho.nsa.gov>; Mon, 6 Jun 2016 15:36:02 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1CPAgCuz1VXfhy3hNFbGgEBAQGEcLhNhAkShgCBN0wBAQEBAQETAQELCwkJIYUeBFIwBQImAkkXEogvqUyREAwlgQGFJoF/ig+CWQWGQgmRfZdohVoCRY8VglscgWcgMooZAQEB
X-IPAS-Result: 
 A1CPAgCuz1VXfhy3hNFbGgEBAQGEcLhNhAkShgCBN0wBAQEBAQETAQELCwkJIYUeBFIwBQImAkkXEogvqUyREAwlgQGFJoF/ig+CWQWGQgmRfZdohVoCRY8VglscgWcgMooZAQEB
X-IronPort-AV: E=Sophos;i="5.26,428,1459828800"; d="scan'208";a="5493844"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 06 Jun 2016 15:36:02 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3Ah06h4RIVaZHQ+hGwRdmcpTZWNBhigK39O0sv0rFi?=
	=?us-ascii?q?tYgULfvxwZ3uMQTl6Ol3ixeRBMOAu6MC1bud6vu+EUU7or+/81k6OKRWUBEEjc?=
	=?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZv?=
	=?us-ascii?q?IaytQ8iJ35XxibH5osaNKyxzxxODIppKZC2sqgvQssREyaBDEY0WjiXzn31TZu?=
	=?us-ascii?q?5NznlpL1/A1zz158O34YIxu38I46FppIZ8VvD8crg0QKJwEjsrKSY26dftuB2F?=
	=?us-ascii?q?ShGAojMYU2MLgl9TDgPY9hDmT9L0tSfnsudVxiaXJ4v1QKoyVDDk6L1kGzHyjy?=
	=?us-ascii?q?JSDzck9CnyjctqgeoPuBemoAZy65TZbIGcKLx1eaaLLoBSfnZIQssED38JOYi7?=
	=?us-ascii?q?dYZaV+c=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0GuAgDJz1VXfhy3hNFbGgEBAQGEcIorr?=
	=?us-ascii?q?iKECRKGAIE3TAEBAQEBAQICDwEBCwsJCSEvgjCCPwRSMAUCJgJJFxKIL6lLkRA?=
	=?us-ascii?q?MASSBAYUmgX+KD4JZBYZCCZF9l2iFWgJFjxWCWxyBZyAyihkBAQE?=
X-IPAS-Result: =?us-ascii?q?A0GuAgDJz1VXfhy3hNFbGgEBAQGEcIorriKECRKGAIE3TAE?=
	=?us-ascii?q?BAQEBAQICDwEBCwsJCSEvgjCCPwRSMAUCJgJJFxKIL6lLkRAMASSBAYUmgX+KD?=
	=?us-ascii?q?4JZBYZCCZF9l2iFWgJFjxWCWxyBZyAyihkBAQE?=
X-IronPort-AV: E=Sophos;i="5.26,428,1459814400"; d="scan'208";a="16687257"
Received: from mx1.redhat.com ([209.132.183.28])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	06 Jun 2016 19:36:00 +0000
Received: from int-mx09.intmail.prod.int.phx2.redhat.com
	(int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 14EB84629B;
	Mon,  6 Jun 2016 19:36:00 +0000 (UTC)
Received: from [127.0.0.1] (vpn-238-130.phx2.redhat.com [10.3.238.130])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id u56JZxHe004473; Mon, 6 Jun 2016 15:35:59 -0400
Subject: [PATCH] netlabel: add address family checks to netlbl_{sock,
	req}_delattr()
From: Paul Moore <pmoore@redhat.com>
To: netdev@vger.kernel.org, linux-security-module@vger.kernel.org
Date: Mon, 06 Jun 2016 15:35:58 -0400
Message-ID: <146524175890.8042.12012703565205416569.stgit@localhost>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.29]); Mon, 06 Jun 2016 19:36:00 +0000 (UTC)
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: maninder1.s@samsung.com, selinux@tycho.nsa.gov
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Paul Moore <paul@paul-moore.com>

It seems risky to always rely on the caller to ensure the socket's
address family is correct before passing it to the NetLabel kAPI,
especially since we see at least one LSM which didn't. Add address
family checks to the *_delattr() functions to help prevent future
problems.

Cc: <stable@vger.kernel.org>
Reported-by: Maninder Singh <maninder1.s@samsung.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 net/netlabel/netlabel_kapi.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 1325776..bd007a9 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -824,7 +824,11 @@ socket_setattr_return:
  */
 void netlbl_sock_delattr(struct sock *sk)
 {
-	cipso_v4_sock_delattr(sk);
+	switch (sk->sk_family) {
+	case AF_INET:
+		cipso_v4_sock_delattr(sk);
+		break;
+	}
 }
 
 /**
@@ -987,7 +991,11 @@ req_setattr_return:
 */
 void netlbl_req_delattr(struct request_sock *req)
 {
-	cipso_v4_req_delattr(req);
+	switch (req->rsk_ops->family) {
+	case AF_INET:
+		cipso_v4_req_delattr(req);
+		break;
+	}
 }
 
 /**