From patchwork Fri Mar 19 13:05:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Brazdil X-Patchwork-Id: 404787 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp1357767jai; Fri, 19 Mar 2021 06:08:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy2XQMNpbUu2GaWdyUxDeX+FgobEpipt4BVa3OfnKAFj4JoogB2/a6jdr2DUxLcfY/d6Dyt X-Received: by 2002:aa7:ce1a:: with SMTP id d26mr9349637edv.206.1616159317486; Fri, 19 Mar 2021 06:08:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616159317; cv=none; d=google.com; s=arc-20160816; b=oufX43OJZy/wIMRRj8T0SKRjPM7P2FJIfO86sdeWIfkeX+2S5bZ7TQIZ7DsmfPYiP+ zl8EOWdDakhNqqGOjMW/jBpE3/HaJJ+p4bfzqqOqI3awB9OpAADvVj5I2APAiXdKQRoi b+PrSqloaxDG/L69X5OVSj3i/PPvZVg/jQeRuqPzM9fvmjWBJFAkTdhWgzKXh/uzXk5o 5JEGkaLwacMpYJfECpISnjMY28w+GEvOxREnZIGwtrz1FU1BPLumAGnu0ASJpHw/Q2Ph RwNXhFX+U1YoocbfFjQ3SSMxrIJv3f8FUHu8XWxpqBmypx2oPokoxR3x9oLyhjai5Urw Ka1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=N6ZyWsQjyYITH1DtAAAV8hrkc7rjv8eAm0Bac9Z5PT8=; b=vpzRk59VVI9yAW2cAhalsuUBZq9ruwpXXoOzLeEF2VuOKgFNMb4m021/F+wOqI0bxX MpZ9yBIhlQLj845pQ623yoLlJBvhzurYKtOYHDJNWOpt4VZ4KOgtT6sFl8CcnPKRKf2y dpBfgGvKEfa7ADVolAX30r+DKvUYDuzT6QQZNNTyoVUEw7pWaHEYtLg4nWEuELS14nkd eFGRMfjhP9rjk8LfABZSF1UWFf8OhM3cmlCh3WgOzoIWxKW875/ePoSTN5jTRqI3dSPo 0PwgQyJ4bb16j43jhhpnWxc00nWEeoyXdEzleG/N030GvNgbN2J9QC5FtBzbWR/NbFM2 UoDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="TnqA//zK"; spf=pass (google.com: domain of netdev-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bz20si4415869ejc.70.2021.03.19.06.08.37; Fri, 19 Mar 2021 06:08:37 -0700 (PDT) Received-SPF: pass (google.com: domain of netdev-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="TnqA//zK"; spf=pass (google.com: domain of netdev-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229766AbhCSNIF (ORCPT + 8 others); Fri, 19 Mar 2021 09:08:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37564 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229875AbhCSNHq (ORCPT ); Fri, 19 Mar 2021 09:07:46 -0400 Received: from mail-wm1-x34a.google.com (mail-wm1-x34a.google.com [IPv6:2a00:1450:4864:20::34a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 97453C06175F for ; Fri, 19 Mar 2021 06:07:45 -0700 (PDT) Received: by mail-wm1-x34a.google.com with SMTP id n22so4445280wmo.7 for ; Fri, 19 Mar 2021 06:07:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=N6ZyWsQjyYITH1DtAAAV8hrkc7rjv8eAm0Bac9Z5PT8=; b=TnqA//zK9gQJnaZHXinNxKGVoB7kl5o7IODNaQdi0CVH7hYbntG5Vn8XmGd4JRsa9P /yXBJ2WkZmZcLCipXy8bMFLcatVtT+HUXct5WzDq7XmimshmUCL3zMZoJK+2N1nykbgO RQBeKCBTYkbfi4ue8JmlN5NT5RuSiZIOVQ2iRN/7TTKM07brEQ6aOlwbntrgM1GNzq+Y C9Z+VumWlVuwBGiqSee3g8TOI1/jdLqYc6Q3HBG23h8heizrn98cjOwfp//4gqEsk1WN m63jJW437qM9jJbqU3Ikyl+IwWJSK78g7RQYguuPS0tZt5fuacxhZmmNAonr1zmIIMNt WcRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=N6ZyWsQjyYITH1DtAAAV8hrkc7rjv8eAm0Bac9Z5PT8=; b=VuiQohewlrjW6HVRe79cDNrLe2979n06olx0dd1XobaQrVOEcYoaRrWBnimHiA25vq Bu5v6qQ9etHjsCPceob78aGpA+COaFCVo92Ja6BdwuoTuZSXibuEjjABPgUcR+CUSVny Jw8Gy7jbeoS4m3evZjb656L4Iqe9huNSKX23FanCjqliDySaN3OWLppl45rZBO7Tb+jh d71D2OkFPtwqBGYEITZTH6/LBAW6uQqGyNTxdf7KY08FgDuaA+U1IrtasRV73Vbhup6Q 52mq0d5ysNlezW5or8ZkaBdcwmhpYyUgdsHDoKuFwLeVXG+9XHTuKWF1hk72LCgsQnA8 6PGw== X-Gm-Message-State: AOAM530NIwx3TcTUu3clhSHs/xRHo3EkSQlV3VHF+Wwh+5oxugIer4mV H1Jla6SGOwZebmDRnMFSQt6iQXaiT5qCUw== X-Received: from dbrazdil.c.googlers.com ([fda3:e722:ac3:10:28:9cb1:c0a8:7f9b]) (user=dbrazdil job=sendgmr) by 2002:a1c:bc82:: with SMTP id m124mr3708352wmf.118.1616159264141; Fri, 19 Mar 2021 06:07:44 -0700 (PDT) Date: Fri, 19 Mar 2021 13:05:41 +0000 Message-Id: <20210319130541.2188184-1-dbrazdil@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.31.0.rc2.261.g7f71774620-goog Subject: [PATCH v2] selinux: vsock: Set SID for socket returned by accept() From: David Brazdil To: selinux@vger.kernel.org Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Paul Moore , Stephen Smalley , Eric Paris , Jeff Vander Stoep , Alistair Delva , David Brazdil Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org For AF_VSOCK, accept() currently returns sockets that are unlabelled. Other socket families derive the child's SID from the SID of the parent and the SID of the incoming packet. This is typically done as the connected socket is placed in the queue that accept() removes from. Reuse the existing 'security_sk_clone' hook to copy the SID from the parent (server) socket to the child. There is no packet SID in this case. Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") Signed-off-by: David Brazdil --- Tested on Android AOSP and Fedora 33 with v5.12-rc3. Unit test is available here: https://github.com/SELinuxProject/selinux-testsuite/pull/75 Changes since v1: * reuse security_sk_clone instead of adding a new hook net/vmw_vsock/af_vsock.c | 1 + 1 file changed, 1 insertion(+) -- 2.31.0.rc2.261.g7f71774620-goog diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index 5546710d8ac1..bc7fb9bf3351 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -755,6 +755,7 @@ static struct sock *__vsock_create(struct net *net, vsk->buffer_size = psk->buffer_size; vsk->buffer_min_size = psk->buffer_min_size; vsk->buffer_max_size = psk->buffer_max_size; + security_sk_clone(parent, sk); } else { vsk->trusted = ns_capable_noaudit(&init_user_ns, CAP_NET_ADMIN); vsk->owner = get_current_cred();