Thread (3 messages) 3 messages, 3 authors, 2022-02-17

Re: [PATCH net v3 2/2] security: implement sctp_assoc_established hook in selinux

From: Paul Moore <paul@paul-moore.com>
Date: 2022-02-15 20:03:22
Also in: linux-sctp, linux-security-module, lkml, selinux

On Mon, Feb 14, 2022 at 11:13 PM Xin Long [off-list ref] wrote:
Looks okay to me.

The difference from the old one is that: with
selinux_sctp_process_new_assoc() called in
selinux_sctp_assoc_established(), the client sksec->peer_sid is using
the first asoc's peer_secid, instead of the latest asoc's peer_secid.
And not sure if it will cause any problems when doing the extra check
sksec->peer_sid != asoc->peer_secid for the latest asoc and *returns
err*. But I don't know about selinux, I guess there must be a reason
from selinux side.
Generally speaking we don't want to change any SELinux socket labels
once it has been created.  While the peer_sid is a bit different,
changing it after userspace has access to the socket could be
problematic.  In the case where the peer_sid differs between the two
we have a permission check which allows policy to control this
behavior which seems like the best option at this point.
I will ACK on patch 0/2.
Thanks, I'm going to go ahead and merge these two patches into
selinux/next right now.

-- 
paul-moore.com
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help