From patchwork Mon Jun 20 13:36:52 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Huw Davies X-Patchwork-Id: 9187583 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 31066607D1 for ; Mon, 20 Jun 2016 14:13:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 198792711E for ; Mon, 20 Jun 2016 14:13:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0AF4D2780C; Mon, 20 Jun 2016 14:13:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=no version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 02B662711E for ; Mon, 20 Jun 2016 14:13:28 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.26,498,1459814400"; d="scan'208";a="17037220" IronPort-PHdr: =?us-ascii?q?9a23=3AKizdZB0/hdbnA7OxsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?sekXL/ad9pjvdHbS+e9qxAeQG96LurQV1qGI7OjJYi8p39WoiDg6aptCVhsI24?= =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?= =?us-ascii?q?fr2zQd6DyZXqnL7ts7ToICx2xxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?= =?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cYhuglv/Jkfe26Ov1gDO8QMDNzNW0p6MD1nQfM?= =?us-ascii?q?QBHJ5XYGVGgS1B1SDEyN6BD8Q4e0qSbxq/B8xDjfOMr6ULQ5cSqt4r0tSxLyji?= =?us-ascii?q?oDcTkj/yWfkcF0jaRGsDq9thd/xMjSe4jTO/1gLY3HetZPZXdeFupYSS1MGcvo?= =?us-ascii?q?b5YQJ+EGMetHooDjqkEV6xC5AF//V6vU1jZUiyqujuUB2OM7HFSDhVQt?= X-IPAS-Result: =?us-ascii?q?A2FzBQCM+WdX/wHyM5BdHQGDIIFTvFgfhzNMAQEBAQEBAgJ?= =?us-ascii?q?iJ4IxDzk8AQEBAQEBIwINZgIkEwYBAQwgDAIDCQIXKQgIAwEtCwoYBwsFGASID?= =?us-ascii?q?689hSkBAQWLfgiMFoJwEQGCZQtAgkeYe44siVqFRo93VIIIHIFNbYkTgTUBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 20 Jun 2016 14:12:21 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u5KE8S1O018738; Mon, 20 Jun 2016 10:10:04 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u5KDbKS5090407 for ; Mon, 20 Jun 2016 09:37:20 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u5KDbIP2013705 for ; Mon, 20 Jun 2016 09:37:20 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1DJAgDV8GdXfYO9+9heHAEBhHO4VoQBCBeGAIEzTAEBAQEBARMBARYzhH4qGQEBNwGBHCISiDCvToUpAQEFi1IpCIwWhWcLQIJHmHuOLI8gj3eCTw0cgU07MopIAQEB X-IPAS-Result: A1DJAgDV8GdXfYO9+9heHAEBhHO4VoQBCBeGAIEzTAEBAQEBARMBARYzhH4qGQEBNwGBHCISiDCvToUpAQEFi1IpCIwWhWcLQIJHmHuOLI8gj3eCTw0cgU07MopIAQEB X-IronPort-AV: E=Sophos;i="5.26,498,1459828800"; d="scan'208";a="5526687" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 20 Jun 2016 09:37:20 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AeK2FkxARKfIkSrg96mSXUyQJP3N1i/DPJgcQr6Af?= =?us-ascii?q?oPdwSP/5pcbcNUDSrc9gkEXOFd2CrakU2qyH7uu+BSQp2tWojjMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?= =?us-ascii?q?POO9QteU1JTmkbHvsMOPKyxzxxODIppKZC2sqgvQssREyaBDEY0WjiXzn31TZu?= =?us-ascii?q?5NznlpL1/A1zz158O34YIxu38I46Fp34d6XK77Z6U1S6BDRHRjajhtpZ6jiR6W?= =?us-ascii?q?SwaT6nYCensZnwAOAAXf6hz+GJDrvW+ysut7xTnfJsD9UKo1RSXn6qBnVRvloD?= =?us-ascii?q?kIOiR/82zNjMF0yqVBr1bpvBF7wojJcKmJJfF+eeXbZtpcSm1fDehLUCkUIp6j?= =?us-ascii?q?J6cGEesMJq4Mr5Tij1AJoRahCACyCfn0jDRPgymljuUBz+09HFSej0QbFNUUvS?= =?us-ascii?q?GR9Y2tOQ=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0EiAwAV8WdXfYO9+9heHAEBhHO4VoQBC?= =?us-ascii?q?BeGAIEzTAEBAQEBAQICDwEBFjMvgjEPOTwBAQEBAQEjAg1iKhkBATcBgRwiEog?= =?us-ascii?q?wr06FKQEBBYtSKQiMFoVnC0CCR5h7jiyPII93gk8NHIFNOzKKSAEBAQ?= X-IPAS-Result: =?us-ascii?q?A0EiAwAV8WdXfYO9+9heHAEBhHO4VoQBCBeGAIEzTAEBAQE?= =?us-ascii?q?BAQICDwEBFjMvgjEPOTwBAQEBAQEjAg1iKhkBATcBgRwiEogwr06FKQEBBYtSK?= =?us-ascii?q?QiMFoVnC0CCR5h7jiyPII93gk8NHIFNOzKKSAEBAQ?= X-IronPort-AV: E=Sophos;i="5.26,498,1459814400"; d="scan'208";a="17034984" Received: from mail.codeweavers.com ([216.251.189.131]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES128-SHA; 20 Jun 2016 13:37:16 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codeweavers.com; s=6377696661; h=Message-Id:Date:Subject:Cc:To:From; bh=UYzRSR0XW2lky1ODwdIKsdyD4ObgXOvb12awpEAzxos=; b=bIGkpWMh2hbatU0QbaILTQapdgajUFB9GAQ3P/fl2FyglZnl0QxveljHIzPe775BesvmVF0sINeAQp4LRbyUZ4dRtjWYaDGpCOooPIglmCWkdnIG+UGDf+x/Usl4tTaDZH5e6VM1wVWMTpVDR8S2QiFu7+DM8WpeD4p98CSRZmQ=; Received: from vpn38.vpn.mn.codeweavers.com ([10.69.139.38] helo=merlot.physics.ox.ac.uk) by mail.codeweavers.com with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1bEzO6-00028s-L0; Mon, 20 Jun 2016 08:37:16 -0500 Received: from daviesh by merlot.physics.ox.ac.uk with local (Exim 4.86_2) (envelope-from ) id 1bEzNt-0003Lb-Ft; Mon, 20 Jun 2016 14:37:01 +0100 From: Huw Davies To: netdev@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov Subject: [PATCH v4 12/19] ipv6: Allow request socks to contain IPv6 options. Date: Mon, 20 Jun 2016 14:36:52 +0100 Message-Id: <1466429819-12707-13-git-send-email-huw@codeweavers.com> X-Mailer: git-send-email 2.7.4 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP If set, these will take precedence over the parent's options during both sending and child creation. If they're not set, the parent's options (if any) will be used. This is to allow the security_inet_conn_request() hook to modify the IPv6 options in just the same way that it already may do for IPv4. Signed-off-by: Huw Davies --- include/net/inet_sock.h | 7 ++++++- net/dccp/ipv6.c | 12 +++++++++--- net/ipv4/tcp_input.c | 3 +++ net/ipv6/tcp_ipv6.c | 12 +++++++++--- 4 files changed, 27 insertions(+), 7 deletions(-) diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h index 012b1f9..236a810 100644 --- a/include/net/inet_sock.h +++ b/include/net/inet_sock.h @@ -97,7 +97,12 @@ struct inet_request_sock { u32 ir_mark; union { struct ip_options_rcu *opt; - struct sk_buff *pktopts; +#if IS_ENABLED(CONFIG_IPV6) + struct { + struct ipv6_txoptions *ipv6_opt; + struct sk_buff *pktopts; + }; +#endif }; }; diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index 4663a01..3381748 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -216,14 +216,17 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req skb = dccp_make_response(sk, dst, req); if (skb != NULL) { struct dccp_hdr *dh = dccp_hdr(skb); + struct ipv6_txoptions *opt; dh->dccph_checksum = dccp_v6_csum_finish(skb, &ireq->ir_v6_loc_addr, &ireq->ir_v6_rmt_addr); fl6.daddr = ireq->ir_v6_rmt_addr; rcu_read_lock(); - err = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt), - np->tclass); + opt = ireq->ipv6_opt; + if (!opt) + opt = rcu_dereference(np->opt); + err = ip6_xmit(sk, skb, &fl6, opt, np->tclass); rcu_read_unlock(); err = net_xmit_eval(err); } @@ -236,6 +239,7 @@ done: static void dccp_v6_reqsk_destructor(struct request_sock *req) { dccp_feat_list_purge(&dccp_rsk(req)->dreq_featneg); + kfree(inet_rsk(req)->ipv6_opt); kfree_skb(inet_rsk(req)->pktopts); } @@ -494,7 +498,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, * Yes, keeping reference count would be much more clever, but we make * one more one thing there: reattach optmem to newsk. */ - opt = rcu_dereference(np->opt); + opt = ireq->ipv6_opt; + if (!opt) + opt = rcu_dereference(np->opt); if (opt) { opt = ipv6_dup_options(newsk, opt); RCU_INIT_POINTER(newnp->opt, opt); diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index c124c3c..f76b4ae 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -6148,6 +6148,9 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops, kmemcheck_annotate_bitfield(ireq, flags); ireq->opt = NULL; +#if IS_ENABLED(CONFIG_IPV6) + ireq->pktopts = NULL; +#endif atomic64_set(&ireq->ir_cookie, 0); ireq->ireq_state = TCP_NEW_SYN_RECV; write_pnet(&ireq->ireq_net, sock_net(sk_listener)); diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index f443c6b..cb7407f 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -443,6 +443,7 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst, { struct inet_request_sock *ireq = inet_rsk(req); struct ipv6_pinfo *np = inet6_sk(sk); + struct ipv6_txoptions *opt; struct flowi6 *fl6 = &fl->u.ip6; struct sk_buff *skb; int err = -ENOMEM; @@ -463,8 +464,10 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst, fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts)); rcu_read_lock(); - err = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt), - np->tclass); + opt = ireq->ipv6_opt; + if (!opt) + opt = rcu_dereference(np->opt); + err = ip6_xmit(sk, skb, fl6, opt, np->tclass); rcu_read_unlock(); err = net_xmit_eval(err); } @@ -476,6 +479,7 @@ done: static void tcp_v6_reqsk_destructor(struct request_sock *req) { + kfree(inet_rsk(req)->ipv6_opt); kfree_skb(inet_rsk(req)->pktopts); } @@ -1112,7 +1116,9 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * but we make one more one thing there: reattach optmem to newsk. */ - opt = rcu_dereference(np->opt); + opt = ireq->ipv6_opt; + if (!opt) + opt = rcu_dereference(np->opt); if (opt) { opt = ipv6_dup_options(newsk, opt); RCU_INIT_POINTER(newnp->opt, opt);