On Tue, Jul 9, 2024 at 7:29 PM Casey Schaufler [off-list ref] wrote:

On 7/9/2024 4:05 PM, Paul Moore wrote:

quoted

On Tue, Jul 9, 2024 at 7:00 PM Casey Schaufler [off-list ref] wrote:

quoted

On 7/9/2024 12:15 PM, Paul Moore wrote:

quoted

On Mon, Jul 8, 2024 at 5:40 PM Casey Schaufler [off-list ref] wrote:

quoted

Move management of the sock->sk_security blob out
of the individual security modules and into the security
infrastructure. Instead of allocating the blobs from within
the modules the modules tell the infrastructure how much
space is required, and the space is allocated there.

Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Kees Cook <redacted>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/lsm_hooks.h         |  1 +
 security/apparmor/include/net.h   |  3 +-
 security/apparmor/lsm.c           | 17 +------
 security/apparmor/net.c           |  2 +-
 security/security.c               | 36 +++++++++++++-
 security/selinux/hooks.c          | 80 ++++++++++++++-----------------
 security/selinux/include/objsec.h |  5 ++
 security/selinux/netlabel.c       | 23 ++++-----
 security/smack/smack.h            |  5 ++
 security/smack/smack_lsm.c        | 70 +++++++++++++--------------
 security/smack/smack_netfilter.c  |  4 +-
 11 files changed, 133 insertions(+), 113 deletions(-)

..

quoted

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7eed331e90f0..19346e1817ff 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

@@ -5495,8 +5488,8 @@ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk

 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
 {
-       struct sk_security_struct *ssksec = ssk->sk_security;
-       struct sk_security_struct *sksec = sk->sk_security;
+       struct sk_security_struct *ssksec = selinux_sock(ssk);
+       struct sk_security_struct *sksec = selinux_sock(sk);

        ssksec->sclass = sksec->sclass;
        ssksec->sid = sksec->sid;

That's new :)

Unfortunately I merged a previous version of this patch into lsm/dev a
couple of weeks ago (see below) which appears to have a bug based on
the changes in this revision (lore link below).  While I'm generally
adverse to popping patches off the lsm/dev branch so as to not upset
any ongoing development work, given that we are at -rc7 it's probably
okay and much cleaner than doing a full revert; I'll remove that
commit now.

Sorry 'bout that. I had troubles with kernels built from lsm/dev crashing,
so I switched to linus' tree.

No worries, that's fine, my policy is that I'll typically resolve
merge conflicts so long as the patches are based on either Linus' or
the subsystem tree.  In this case it turned out to be a good thing as
it highlighted the MPTCP omission in the commit merged into lsm/dev.

However, do you have any more detail on the lsm/dev crashes you are
seeing?  I wonder if it is general v6.10-rc1 instability ...

Alas, no. My VMs just stopped hard, with no panic or traces.
The problem went away with rc3 (I did almost nothing with rc2)
so I shrugged it off and moved on.

Okay, fair enough.  I haven't seen anything in my testing (although
that is lsm/dev+others merged on top of a Rawhide kernel) so I guess I
won't lose too much sleep over this right now.

-- 
paul-moore.com