tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

lsm: Relocate the IPv4 security_inet_conn_request() hooks

The current placement of the security_inet_conn_request() hooks do not allow
individual LSMs to override the IP options of the connection's request_sock.
This is a problem as both SELinux and Smack have the ability to use labeled
networking protocols which make use of IP options to carry security attributes
and the inability to set the IP options at the start of the TCP handshake is
problematic.

This patch moves the IPv4 security_inet_conn_request() hooks past the code
where the request_sock's IP options are set/reset so that the LSM can safely
manipulate the IP options as needed. This patch intentionally does not change
the related IPv6 hooks as IPv6 based labeling protocols which use IPv6 options
are not currently implemented, once they are we will have a better idea of
the correct placement for the IPv6 hooks.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: James Morris <jmorris@namei.org>

authored by

Paul Moore and committed by
James Morris 284904aa bb798169

+9 -7
+5 -4
net/ipv4/syncookies.c
··· 288 288 if (!req) 289 289 goto out; 290 290 291 - if (security_inet_conn_request(sk, skb, req)) { 292 - reqsk_free(req); 293 - goto out; 294 - } 295 291 ireq = inet_rsk(req); 296 292 treq = tcp_rsk(req); 297 293 treq->rcv_isn = ntohl(th->seq) - 1; ··· 316 320 kfree(ireq->opt); 317 321 ireq->opt = NULL; 318 322 } 323 + } 324 + 325 + if (security_inet_conn_request(sk, skb, req)) { 326 + reqsk_free(req); 327 + goto out; 319 328 } 320 329 321 330 req->expires = 0UL;
+4 -3
net/ipv4/tcp_ipv4.c
··· 1230 1230 1231 1231 tcp_openreq_init(req, &tmp_opt, skb); 1232 1232 1233 - if (security_inet_conn_request(sk, skb, req)) 1234 - goto drop_and_free; 1235 - 1236 1233 ireq = inet_rsk(req); 1237 1234 ireq->loc_addr = daddr; 1238 1235 ireq->rmt_addr = saddr; 1239 1236 ireq->no_srccheck = inet_sk(sk)->transparent; 1240 1237 ireq->opt = tcp_v4_save_options(sk, skb); 1238 + 1239 + if (security_inet_conn_request(sk, skb, req)) 1240 + goto drop_and_free; 1241 + 1241 1242 if (!want_cookie) 1242 1243 TCP_ECN_create_request(req, tcp_hdr(skb)); 1243 1244