On Mon, Feb 14, 2022 at 11:13 PM Xin Long [off-list ref] wrote:
Looks okay to me.
The difference from the old one is that: with
selinux_sctp_process_new_assoc() called in
selinux_sctp_assoc_established(), the client sksec->peer_sid is using
the first asoc's peer_secid, instead of the latest asoc's peer_secid.
And not sure if it will cause any problems when doing the extra check
sksec->peer_sid != asoc->peer_secid for the latest asoc and *returns
err*. But I don't know about selinux, I guess there must be a reason
from selinux side.
Generally speaking we don't want to change any SELinux socket labels
once it has been created. While the peer_sid is a bit different,
changing it after userspace has access to the socket could be
problematic. In the case where the peer_sid differs between the two
we have a permission check which allows policy to control this
behavior which seems like the best option at this point.
I will ACK on patch 0/2.
Thanks, I'm going to go ahead and merge these two patches into
selinux/next right now.
--
paul-moore.com