On Mon, Oct 30, 2023 at 5:20 PM Kuniyuki Iwashima [off-list ref] wrote:

From: Paul Moore <paul@paul-moore.com>
Date: Mon, 30 Oct 2023 17:12:33 -0400

quoted

On Mon, Oct 30, 2023 at 4:12 PM Kuniyuki Iwashima [off-list ref] wrote:

quoted

Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child
sockets") introduced security_inet_conn_request() in some functions
where reqsk is allocated.  The hook is added just after the allocation,
so reqsk's IPv6 remote address was not initialised then.

However, SELinux/Smack started to read it in netlbl_req_setattr()
after commit e1adea927080 ("calipso: Allow request sockets to be
relabelled by the lsm.").

Commit 284904aa7946 ("lsm: Relocate the IPv4 security_inet_conn_request()
hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was
not supported at that time.  Finally, the same issue was introduced again
in IPv6.

Let's apply the same fix on DCCPv6 and TCPv6.

Fixes: e1adea927080 ("calipso: Allow request sockets to be relabelled by the lsm.")
Signed-off-by: Kuniyuki Iwashima <redacted>
---
Cc: Huw Davies <redacted>
Cc: Paul Moore <paul@paul-moore.com>
---
 net/dccp/ipv6.c       | 6 +++---
 net/ipv6/syncookies.c | 7 ++++---
 2 files changed, 7 insertions(+), 6 deletions(-)

Thanks for catching this and submitting a patch!

It seems like we should also update dccp_v4_conn_request(), what do you think?

Yes, and it's done in patch 1 as it had a separate Fixes tag.
https://lore.kernel.org/netdev/20231030201042.32885-2-kuniyu@amazon.com/ (local)

Great, thanks for doing that.  netdev folks, please feel free to add
my ACK to both patches in the patchset.

Acked-by: Paul Moore <paul@paul-moore.com>

It seems get_maintainers.pl suggested another email address of
yours for patch 1.  It would be good to update .mailmap ;)

Yes, I really should, thanks for the reminder.  I'll send an update to
Linus once I get the merge window PRs sorted out.

-- 
paul-moore.com