Re: [PATCH V8 2/4] sctp: Add ip option support
On Mon, Feb 26, 2018 at 05:48:48PM -0500, Paul Moore wrote: > On Sat, Feb 24, 2018 at 11:18 AM, Richard Haines >wrote: > > Add ip option support to allow LSM security modules to utilise CIPSO/IPv4 > > and CALIPSO/IPv6 services. > > > > Signed-off-by: Richard Haines > > --- > > All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode. > > All "./sctp-tests run" obtained from: https://github.com/sctp/sctp-tests > > pass. > > > > V7 Changes: > > 1) Log when copy ip options fail for IPv4 and IPv6 > > 2) Correct sctp_setsockopt_maxseg() function. Note that the lksctp-tools > > func_tests do not test with struct sctp_assoc_value. Just used simple test > > and okay. > > 3) Move calculation of overheads to sctp_packet_config(). > > NOTE: Initially in sctp_packet_reset() I set packet->size and > > packet->overhead to zero (as it is a reset). This was okay for all the > > lksctp-tools function tests, however when running "sctp-tests" ndatshched > > tests it causes these to fail with an st_s.log entry of: > > sid: 3, expected: 3 > > sid: 3, expected: 3 > > unexpected sid packet !!! > > sid: 1, expected: 3 > > > > I then found sctp_packet_transmit() relies on setting > > "packet->size = packet->overhead;" to reset size to the current overhead > > after sending packets, hence the comment in sctp_packet_reset() > > > > V8 Change: > > Fix sparse warning: > > net/sctp/protocol.c:269:28: sparse: dereference of noderef expression > > highlighted in [1] for sctp_v4_ip_options_len() function. > > > > [1] https://lists.01.org/pipermail/kbuild-all/2018-February/043695.html > > > > include/net/sctp/sctp.h| 4 +++- > > include/net/sctp/structs.h | 2 ++ > > net/sctp/chunk.c | 10 +++--- > > net/sctp/ipv6.c| 45 > > ++--- > > net/sctp/output.c | 34 +- > > net/sctp/protocol.c| 43 +++ > > net/sctp/socket.c | 11 --- > > 7 files changed, 122 insertions(+), 27 deletions(-) > > Thanks Richard. > > Neil and Marcelo, I transfered your acked-by to this patch, if you've > got any objections to that please let me know. > I'm also fine with the transfer, thanks for checking! Neil
Re: [PATCH V7 2/4] sctp: Add ip option support
ned > if (val) { > int min_len, max_len; > > - min_len = SCTP_DEFAULT_MINSEGMENT - sp->pf->af->net_header_len; > + min_len = SCTP_DEFAULT_MINSEGMENT - af->net_header_len; > + min_len -= af->ip_options_len(sk); > min_len -= sizeof(struct sctphdr) + > sizeof(struct sctp_data_chunk); > > @@ -3175,7 +3177,8 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char > __user *optval, unsigned > asoc = sctp_id2assoc(sk, params.assoc_id); > if (asoc) { > if (val == 0) { > - val = asoc->pathmtu - sp->pf->af->net_header_len; > + val = asoc->pathmtu - af->net_header_len; > + val -= af->ip_options_len(sk); > val -= sizeof(struct sctphdr) + > sctp_datachk_len(>stream); > } > @@ -5087,9 +5090,11 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, > struct socket **sockp) > sctp_copy_sock(sock->sk, sk, asoc); > > /* Make peeled-off sockets more like 1-1 accepted sockets. > - * Set the daddr and initialize id to something more random > + * Set the daddr and initialize id to something more random and also > + * copy over any ip options. >*/ > sp->pf->to_sk_daddr(>peer.primary_addr, sk); > + sp->pf->copy_ip_options(sk, sock->sk); > > /* Populate the fields of the newsk from the oldsk and migrate the >* asoc to the newsk. > -- > 2.14.3 > > I think this makes a good bit more sense, thanks for the extra pass Acked-by: Neil Horman <nhor...@tuxdriver.com>
Re: [PATCH V6 2/4] sctp: Add ip option support
On Fri, Feb 16, 2018 at 07:51:02PM -0200, Marcelo Ricardo Leitner wrote: > On Fri, Feb 16, 2018 at 03:14:35PM -0500, Neil Horman wrote: > > On Fri, Feb 16, 2018 at 10:56:07AM -0200, Marcelo Ricardo Leitner wrote: > > > On Thu, Feb 15, 2018 at 09:15:40AM -0500, Neil Horman wrote: > > > > On Tue, Feb 13, 2018 at 08:54:44PM +, Richard Haines wrote: > > > > > Add ip option support to allow LSM security modules to utilise > > > > > CIPSO/IPv4 > > > > > and CALIPSO/IPv6 services. > > > > > > > > > > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com> > > > > > --- > > > > > include/net/sctp/sctp.h| 4 +++- > > > > > include/net/sctp/structs.h | 2 ++ > > > > > net/sctp/chunk.c | 12 +++- > > > > > net/sctp/ipv6.c| 42 > > > > > +++--- > > > > > net/sctp/output.c | 5 - > > > > > net/sctp/protocol.c| 36 > > > > > net/sctp/socket.c | 14 ++ > > > > > 7 files changed, 97 insertions(+), 18 deletions(-) > > > > > > > > > > diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h > > > > > index f7ae6b0..25c5c87 100644 > > > > > --- a/include/net/sctp/sctp.h > > > > > +++ b/include/net/sctp/sctp.h > > > > > @@ -441,9 +441,11 @@ static inline int sctp_list_single_entry(struct > > > > > list_head *head) > > > > > static inline int sctp_frag_point(const struct sctp_association > > > > > *asoc, int pmtu) > > > > > { > > > > > struct sctp_sock *sp = sctp_sk(asoc->base.sk); > > > > > + struct sctp_af *af = sp->pf->af; > > > > > int frag = pmtu; > > > > > > > > > > - frag -= sp->pf->af->net_header_len; > > > > > + frag -= af->ip_options_len(asoc->base.sk); > > > > > + frag -= af->net_header_len; > > > > > frag -= sizeof(struct sctphdr) + > > > > > sctp_datachk_len(>stream); > > > > > > > > > > if (asoc->user_frag) > > > > > diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h > > > > > index 03e92dd..ead5fce 100644 > > > > > --- a/include/net/sctp/structs.h > > > > > +++ b/include/net/sctp/structs.h > > > > > @@ -491,6 +491,7 @@ struct sctp_af { > > > > > void(*ecn_capable)(struct sock *sk); > > > > > __u16 net_header_len; > > > > > int sockaddr_len; > > > > > + int (*ip_options_len)(struct sock *sk); > > > > > sa_family_t sa_family; > > > > > struct list_head list; > > > > > }; > > > > > @@ -515,6 +516,7 @@ struct sctp_pf { > > > > > int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr > > > > > *addr); > > > > > void (*to_sk_saddr)(union sctp_addr *, struct sock *sk); > > > > > void (*to_sk_daddr)(union sctp_addr *, struct sock *sk); > > > > > + void (*copy_ip_options)(struct sock *sk, struct sock *newsk); > > > > > struct sctp_af *af; > > > > > }; > > > > > > > > > > diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c > > > > > index 991a530..d5c0ef7 100644 > > > > > --- a/net/sctp/chunk.c > > > > > +++ b/net/sctp/chunk.c > > > > > @@ -154,7 +154,6 @@ static void sctp_datamsg_assign(struct > > > > > sctp_datamsg *msg, struct sctp_chunk *chu > > > > > chunk->msg = msg; > > > > > } > > > > > > > > > > - > > > > > /* A data chunk can have a maximum payload of (2^16 - 20). Break > > > > > * down any such message into smaller chunks. Opportunistically, > > > > > fragment > > > > > * the chunks down to the current MTU constraints. We may get > > > > > refragmented > > > > > @@ -171,6 +170,8 @@ struct sctp_datamsg > > > > > *sctp_datamsg_from_user(struct sctp_association *asoc, > > > > > struct list_head *pos, *temp; > > > > > struct sctp_chunk *ch
Re: [PATCH V6 2/4] sctp: Add ip option support
On Sun, Feb 18, 2018 at 01:44:42PM +, Richard Haines wrote: > On Fri, 2018-02-16 at 23:28 -0500, Neil Horman wrote: > > On Fri, Feb 16, 2018 at 07:51:02PM -0200, Marcelo Ricardo Leitner > > wrote: > > > On Fri, Feb 16, 2018 at 03:14:35PM -0500, Neil Horman wrote: > > > > On Fri, Feb 16, 2018 at 10:56:07AM -0200, Marcelo Ricardo Leitner > > > > wrote: > > > > > On Thu, Feb 15, 2018 at 09:15:40AM -0500, Neil Horman wrote: > > > > > > On Tue, Feb 13, 2018 at 08:54:44PM +, Richard Haines > > > > > > wrote: > > > > > > > Add ip option support to allow LSM security modules to > > > > > > > utilise CIPSO/IPv4 > > > > > > > and CALIPSO/IPv6 services. > > > > > > > > > > > > > > Signed-off-by: Richard Haines <richard_c_haines@btinternet. > > > > > > > com> > > > > > > > --- > > > > > > > include/net/sctp/sctp.h| 4 +++- > > > > > > > include/net/sctp/structs.h | 2 ++ > > > > > > > net/sctp/chunk.c | 12 +++- > > > > > > > net/sctp/ipv6.c| 42 > > > > > > > +++--- > > > > > > > net/sctp/output.c | 5 - > > > > > > > net/sctp/protocol.c| 36 > > > > > > > > > > > > > > net/sctp/socket.c | 14 ++ > > > > > > > 7 files changed, 97 insertions(+), 18 deletions(-) > > > > > > > > > > > > > > diff --git a/include/net/sctp/sctp.h > > > > > > > b/include/net/sctp/sctp.h > > > > > > > index f7ae6b0..25c5c87 100644 > > > > > > > --- a/include/net/sctp/sctp.h > > > > > > > +++ b/include/net/sctp/sctp.h > > > > > > > @@ -441,9 +441,11 @@ static inline int > > > > > > > sctp_list_single_entry(struct list_head *head) > > > > > > > static inline int sctp_frag_point(const struct > > > > > > > sctp_association *asoc, int pmtu) > > > > > > > { > > > > > > > struct sctp_sock *sp = sctp_sk(asoc->base.sk); > > > > > > > + struct sctp_af *af = sp->pf->af; > > > > > > > int frag = pmtu; > > > > > > > > > > > > > > - frag -= sp->pf->af->net_header_len; > > > > > > > + frag -= af->ip_options_len(asoc->base.sk); > > > > > > > + frag -= af->net_header_len; > > > > > > > frag -= sizeof(struct sctphdr) + > > > > > > > sctp_datachk_len(>stream); > > > > > > > > > > > > > > if (asoc->user_frag) > > > > > > > diff --git a/include/net/sctp/structs.h > > > > > > > b/include/net/sctp/structs.h > > > > > > > index 03e92dd..ead5fce 100644 > > > > > > > --- a/include/net/sctp/structs.h > > > > > > > +++ b/include/net/sctp/structs.h > > > > > > > @@ -491,6 +491,7 @@ struct sctp_af { > > > > > > > void(*ecn_capable)(struct sock > > > > > > > *sk); > > > > > > > __u16 net_header_len; > > > > > > > int sockaddr_len; > > > > > > > + int (*ip_options_len)(struct sock > > > > > > > *sk); > > > > > > > sa_family_t sa_family; > > > > > > > struct list_head list; > > > > > > > }; > > > > > > > @@ -515,6 +516,7 @@ struct sctp_pf { > > > > > > > int (*addr_to_user)(struct sctp_sock *sk, union > > > > > > > sctp_addr *addr); > > > > > > > void (*to_sk_saddr)(union sctp_addr *, struct sock > > > > > > > *sk); > > > > > > > void (*to_sk_daddr)(union sctp_addr *, struct sock > > > > > > > *sk); > > > > > > > + void (*copy_ip_options)(struct sock *sk, struct > > > > > > > sock *newsk); > > > > > > > struct sctp_af *af; > > > > > > > }; > > > > > > > > > > > > > > diff --git a/net/sctp/chunk.c b/net/sctp/chunk.
Re: [PATCH V6 2/4] sctp: Add ip option support
On Fri, Feb 16, 2018 at 10:56:07AM -0200, Marcelo Ricardo Leitner wrote: > On Thu, Feb 15, 2018 at 09:15:40AM -0500, Neil Horman wrote: > > On Tue, Feb 13, 2018 at 08:54:44PM +, Richard Haines wrote: > > > Add ip option support to allow LSM security modules to utilise CIPSO/IPv4 > > > and CALIPSO/IPv6 services. > > > > > > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com> > > > --- > > > include/net/sctp/sctp.h| 4 +++- > > > include/net/sctp/structs.h | 2 ++ > > > net/sctp/chunk.c | 12 +++- > > > net/sctp/ipv6.c| 42 > > > +++--- > > > net/sctp/output.c | 5 - > > > net/sctp/protocol.c| 36 > > > net/sctp/socket.c | 14 ++ > > > 7 files changed, 97 insertions(+), 18 deletions(-) > > > > > > diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h > > > index f7ae6b0..25c5c87 100644 > > > --- a/include/net/sctp/sctp.h > > > +++ b/include/net/sctp/sctp.h > > > @@ -441,9 +441,11 @@ static inline int sctp_list_single_entry(struct > > > list_head *head) > > > static inline int sctp_frag_point(const struct sctp_association *asoc, > > > int pmtu) > > > { > > > struct sctp_sock *sp = sctp_sk(asoc->base.sk); > > > + struct sctp_af *af = sp->pf->af; > > > int frag = pmtu; > > > > > > - frag -= sp->pf->af->net_header_len; > > > + frag -= af->ip_options_len(asoc->base.sk); > > > + frag -= af->net_header_len; > > > frag -= sizeof(struct sctphdr) + sctp_datachk_len(>stream); > > > > > > if (asoc->user_frag) > > > diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h > > > index 03e92dd..ead5fce 100644 > > > --- a/include/net/sctp/structs.h > > > +++ b/include/net/sctp/structs.h > > > @@ -491,6 +491,7 @@ struct sctp_af { > > > void(*ecn_capable)(struct sock *sk); > > > __u16 net_header_len; > > > int sockaddr_len; > > > + int (*ip_options_len)(struct sock *sk); > > > sa_family_t sa_family; > > > struct list_head list; > > > }; > > > @@ -515,6 +516,7 @@ struct sctp_pf { > > > int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr *addr); > > > void (*to_sk_saddr)(union sctp_addr *, struct sock *sk); > > > void (*to_sk_daddr)(union sctp_addr *, struct sock *sk); > > > + void (*copy_ip_options)(struct sock *sk, struct sock *newsk); > > > struct sctp_af *af; > > > }; > > > > > > diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c > > > index 991a530..d5c0ef7 100644 > > > --- a/net/sctp/chunk.c > > > +++ b/net/sctp/chunk.c > > > @@ -154,7 +154,6 @@ static void sctp_datamsg_assign(struct sctp_datamsg > > > *msg, struct sctp_chunk *chu > > > chunk->msg = msg; > > > } > > > > > > - > > > /* A data chunk can have a maximum payload of (2^16 - 20). Break > > > * down any such message into smaller chunks. Opportunistically, > > > fragment > > > * the chunks down to the current MTU constraints. We may get > > > refragmented > > > @@ -171,6 +170,8 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct > > > sctp_association *asoc, > > > struct list_head *pos, *temp; > > > struct sctp_chunk *chunk; > > > struct sctp_datamsg *msg; > > > + struct sctp_sock *sp; > > > + struct sctp_af *af; > > > int err; > > > > > > msg = sctp_datamsg_new(GFP_KERNEL); > > > @@ -189,9 +190,11 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct > > > sctp_association *asoc, > > > /* This is the biggest possible DATA chunk that can fit into > > >* the packet > > >*/ > > > - max_data = asoc->pathmtu - > > > -sctp_sk(asoc->base.sk)->pf->af->net_header_len - > > > -sizeof(struct sctphdr) - sctp_datachk_len(>stream); > > > + sp = sctp_sk(asoc->base.sk); > > > + af = sp->pf->af; > > > + max_data = asoc->pathmtu - af->net_header_len - > > > +sizeof(struct sctphdr) - sctp_datachk_len(>stream) - > > > +af->ip_options_len(asoc->base.sk); > > > max_data = SCTP_TRUNC4(max_data); > &g
Re: [PATCH V6 0/4] Add SELinux SCTP protocol support
On Wed, Feb 14, 2018 at 02:19:03PM -0500, Paul Moore wrote: > On Tue, Feb 13, 2018 at 3:52 PM, Richard Haines >wrote: > > These patches have been built on Fedora 27 with kernel-4.16.0-0.rc1 plus > > the following userspace patches to enable testing: > > > > 1) Updates to libsepol 2.7 to support the sctp portcon statement. > >The patch is available from: > > http://arctic.selinuxproject.org/~rhaines/selinux-sctp/ > > selinux-Add-support-for-the-SCTP-portcon-keyword.patch > > > > 2) Updates to the SELinux Test Suite adding SCTP tests. Please read the > >selinux-testsuite/README.sctp for details. The patch is available from: > > http://arctic.selinuxproject.org/~rhaines/selinux-sctp/ > > selinux-testsuite-Add-SCTP-test-support.patch > > > > 3) Updates to lksctp-tools that show SELinux info in sctp_darn and > >sctp_test. It also contains a minor patch for test_1_to_1_connect.c > >as when CIPSO/CALIPSO configured, NetLabel returns a different error > >code for illegal addresses in test 5. The patch is available from: > > http://arctic.selinuxproject.org/~rhaines/selinux-sctp/ > > lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch > > > > All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode. > > > > All SCTP regression tests "./sctp-tests run" run correctly in enforcing > > mode. These tests are obtained from: https://github.com/sctp/sctp-tests > > > > The selinux-testsuite patch also adds remote tests (that need some manual > > configuration). These are useful for testing CIPSO/CALIPSO over a network > > with a number of categories to produce large ip option fields with various > > message sizes forcing fragmentation etc.. > > > > Changes since RFC Patch: > > Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support) > > as re-engineered. However this patchset will require the NetLabel > > patch at [1] to fully run the SCTP selinux-testsuite. > > > > V1 Changes: > > PATCH 1/4 > > Remove unused parameter from security_sctp_assoc_request(). > > Reformat and update LSM-sctp.rst documentation. > > PATCH 2/4 > > Add variables and RCU locks as requested in [2] to support IP options. > > PATCH 3/4 > > Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init() > > and sctp_sf_do_5_2_4_dupcook(). > > Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as > > no longer required. > > PATCH 4/4 > > Reformat and update SELinux-sctp.rst documentation. > > Remove bindx and connectx permissions. > > Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to > > utilise helpers for code reuse. > > Add spinlock to selinux_sctp_assoc_request(). > > Remove unused parameter from security_sctp_assoc_request(). > > Use address->sa_family == AF_INET in *_bind and *_connect to ensure > > correct address type. > > Minor cleanups. > > > > V2 Changes: > > PATCH 4/4 - Remove spin lock from selinux_sctp_assoc_request() > > PATCH 4/4 - Fix selinux_sctp_sk_clone() kbuild test robot catch [3] > > > > V3 Changes: > > PATCH 2/4 - Account for IP options length in sctp.h sctp_frag_point() by > > Marcelo > > > > V4 Changes: > > PATCH 1/4 - Move specific SELinux descriptions from LSM-sctp.rst and > > lsm_hooks.h to SELinux-sctp.rst in PATCH 4/4 > > PATCH 4/4 - Rename selinux_netlbl_sctp_socket_connect() to > > selinux_netlbl_socket_connect_locked() and move description comments to > > selinux_sctp_bind_connect() > > > > V5 Change: Rework selinux_netlbl_socket_connect() and > > selinux_netlbl_socket_connect_locked as requested by Paul. > > > > V6 Changes: > > Rework SCTP patches 2/4 and 3/4 as there have been major SCTP updates since > > kernel 4.14. > > > > [1] https://marc.info/?l=selinux=151061619115945=2 > > [2] https://marc.info/?l=selinux=150962470215797=2 > > [3] https://marc.info/?l=selinux=151198281817779=2 > > > > Richard Haines (4): > > security: Add support for SCTP security hooks > > sctp: Add ip option support > > sctp: Add LSM hooks > > selinux: Add SCTP support > > Marcelo, or any other SCTP folks, do the SCTP changes still look okay > to you? I'd like to merge these into the selinux/next tree by the end > of the week ... > I had a few comments that I just posted. Neil > -- > paul moore > www.paul-moore.com > -- > To unsubscribe from this list: send the line "unsubscribe linux-sctp" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >
Re: [PATCH V6 2/4] sctp: Add ip option support
On Tue, Feb 13, 2018 at 08:54:44PM +, Richard Haines wrote: > Add ip option support to allow LSM security modules to utilise CIPSO/IPv4 > and CALIPSO/IPv6 services. > > Signed-off-by: Richard Haines> --- > include/net/sctp/sctp.h| 4 +++- > include/net/sctp/structs.h | 2 ++ > net/sctp/chunk.c | 12 +++- > net/sctp/ipv6.c| 42 +++--- > net/sctp/output.c | 5 - > net/sctp/protocol.c| 36 > net/sctp/socket.c | 14 ++ > 7 files changed, 97 insertions(+), 18 deletions(-) > > diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h > index f7ae6b0..25c5c87 100644 > --- a/include/net/sctp/sctp.h > +++ b/include/net/sctp/sctp.h > @@ -441,9 +441,11 @@ static inline int sctp_list_single_entry(struct > list_head *head) > static inline int sctp_frag_point(const struct sctp_association *asoc, int > pmtu) > { > struct sctp_sock *sp = sctp_sk(asoc->base.sk); > + struct sctp_af *af = sp->pf->af; > int frag = pmtu; > > - frag -= sp->pf->af->net_header_len; > + frag -= af->ip_options_len(asoc->base.sk); > + frag -= af->net_header_len; > frag -= sizeof(struct sctphdr) + sctp_datachk_len(>stream); > > if (asoc->user_frag) > diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h > index 03e92dd..ead5fce 100644 > --- a/include/net/sctp/structs.h > +++ b/include/net/sctp/structs.h > @@ -491,6 +491,7 @@ struct sctp_af { > void(*ecn_capable)(struct sock *sk); > __u16 net_header_len; > int sockaddr_len; > + int (*ip_options_len)(struct sock *sk); > sa_family_t sa_family; > struct list_head list; > }; > @@ -515,6 +516,7 @@ struct sctp_pf { > int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr *addr); > void (*to_sk_saddr)(union sctp_addr *, struct sock *sk); > void (*to_sk_daddr)(union sctp_addr *, struct sock *sk); > + void (*copy_ip_options)(struct sock *sk, struct sock *newsk); > struct sctp_af *af; > }; > > diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c > index 991a530..d5c0ef7 100644 > --- a/net/sctp/chunk.c > +++ b/net/sctp/chunk.c > @@ -154,7 +154,6 @@ static void sctp_datamsg_assign(struct sctp_datamsg *msg, > struct sctp_chunk *chu > chunk->msg = msg; > } > > - > /* A data chunk can have a maximum payload of (2^16 - 20). Break > * down any such message into smaller chunks. Opportunistically, fragment > * the chunks down to the current MTU constraints. We may get refragmented > @@ -171,6 +170,8 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct > sctp_association *asoc, > struct list_head *pos, *temp; > struct sctp_chunk *chunk; > struct sctp_datamsg *msg; > + struct sctp_sock *sp; > + struct sctp_af *af; > int err; > > msg = sctp_datamsg_new(GFP_KERNEL); > @@ -189,9 +190,11 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct > sctp_association *asoc, > /* This is the biggest possible DATA chunk that can fit into >* the packet >*/ > - max_data = asoc->pathmtu - > -sctp_sk(asoc->base.sk)->pf->af->net_header_len - > -sizeof(struct sctphdr) - sctp_datachk_len(>stream); > + sp = sctp_sk(asoc->base.sk); > + af = sp->pf->af; > + max_data = asoc->pathmtu - af->net_header_len - > +sizeof(struct sctphdr) - sctp_datachk_len(>stream) - > +af->ip_options_len(asoc->base.sk); > max_data = SCTP_TRUNC4(max_data); > > /* If the the peer requested that we authenticate DATA chunks > @@ -211,7 +214,6 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct > sctp_association *asoc, > > /* Set first_len and then account for possible bundles on first frag */ > first_len = max_data; > - > /* Check to see if we have a pending SACK and try to let it be bundled >* with this message. Do this if we don't have any data queued already. >* To check that, look at out_qlen and retransmit list. > diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c > index e35d4f7..0b0f895 100644 > --- a/net/sctp/ipv6.c > +++ b/net/sctp/ipv6.c > @@ -427,6 +427,38 @@ static void sctp_v6_copy_addrlist(struct list_head > *addrlist, > rcu_read_unlock(); > } > > +/* Copy over any ip options */ > +static void sctp_v6_copy_ip_options(struct sock *sk, struct sock *newsk) > +{ > + struct ipv6_pinfo *newnp, *np = inet6_sk(sk); > + struct ipv6_txoptions *opt; > + > + newnp = inet6_sk(newsk); > + > + rcu_read_lock(); > + opt = rcu_dereference(np->opt); > + if (opt) > + opt = ipv6_dup_options(newsk, opt); do you want to print a warning here in the event the allocation for the dup operation fails? > + RCU_INIT_POINTER(newnp->opt, opt);
Re: PATCH V5 4/4] selinux: Add SCTP support
ck, > * Returns zero values on success, negative values on failure. > * > */ > -int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr) > +static int selinux_netlbl_socket_connect_helper(struct sock *sk, > + struct sockaddr *addr) > { > int rc; > struct sk_security_struct *sksec = sk->sk_security; > struct netlbl_lsm_secattr *secattr; > > - if (sksec->nlbl_state != NLBL_REQSKB && > - sksec->nlbl_state != NLBL_CONNLABELED) > - return 0; > - > - lock_sock(sk); > - > /* connected sockets are allowed to disconnect when the address family >* is set to AF_UNSPEC, if that is what is happening we want to reset >* the socket */ > @@ -498,18 +566,61 @@ int selinux_netlbl_socket_connect(struct sock *sk, > struct sockaddr *addr) > netlbl_sock_delattr(sk); > sksec->nlbl_state = NLBL_REQSKB; > rc = 0; > - goto socket_connect_return; > + return rc; > } > secattr = selinux_netlbl_sock_genattr(sk); > if (secattr == NULL) { > rc = -ENOMEM; > - goto socket_connect_return; > + return rc; > } > rc = netlbl_conn_setattr(sk, addr, secattr); > if (rc == 0) > sksec->nlbl_state = NLBL_CONNLABELED; > > -socket_connect_return: > + return rc; > +} > + > +/** > + * selinux_netlbl_socket_connect_locked - Label a client-side socket on > + * connect > + * @sk: the socket to label > + * @addr: the destination address > + * > + * Description: > + * Attempt to label a connected socket that already has the socket locked > + * with NetLabel using the given address. > + * Returns zero values on success, negative values on failure. > + * > + */ > +int selinux_netlbl_socket_connect_locked(struct sock *sk, > + struct sockaddr *addr) > +{ > + struct sk_security_struct *sksec = sk->sk_security; > + > + if (sksec->nlbl_state != NLBL_REQSKB && > + sksec->nlbl_state != NLBL_CONNLABELED) > + return 0; > + > + return selinux_netlbl_socket_connect_helper(sk, addr); > +} > + > +/** > + * selinux_netlbl_socket_connect - Label a client-side socket on connect > + * @sk: the socket to label > + * @addr: the destination address > + * > + * Description: > + * Attempt to label a connected socket with NetLabel using the given address. > + * Returns zero values on success, negative values on failure. > + * > + */ > +int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr) > +{ > + int rc; > + > + lock_sock(sk); > + rc = selinux_netlbl_socket_connect_locked(sk, addr); > release_sock(sk); > + > return rc; > } > -- > 2.14.3 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-sctp" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Acked-by: Neil Horman <nhor...@tuxdriver.com>
Re: [RFC PATCH 3/5] sctp: Add LSM hooks
On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote: > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines >wrote: > > Add security hooks to allow security modules to exercise access control > > over SCTP. > > > > Signed-off-by: Richard Haines > > --- > > include/net/sctp/structs.h | 10 > > include/uapi/linux/sctp.h | 1 + > > net/sctp/sm_make_chunk.c | 12 + > > net/sctp/sm_statefuns.c| 14 ++- > > net/sctp/socket.c | 61 > > +- > > 5 files changed, 96 insertions(+), 2 deletions(-) > > > > diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h > > index 7767577..6e72e3e 100644 > > --- a/include/net/sctp/structs.h > > +++ b/include/net/sctp/structs.h > > @@ -1270,6 +1270,16 @@ struct sctp_endpoint { > > reconf_enable:1; > > > > __u8 strreset_enable; > > + > > + /* Security identifiers from incoming (INIT). These are set by > > +* security_sctp_assoc_request(). These will only be used by > > +* SCTP TCP type sockets and peeled off connections as they > > +* cause a new socket to be generated. security_sctp_sk_clone() > > +* will then plug these into the new socket. > > +*/ > > + > > + u32 secid; > > + u32 peer_secid; > > }; > > > > /* Recover the outter endpoint structure. */ > > diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h > > index 6217ff8..c04812f 100644 > > --- a/include/uapi/linux/sctp.h > > +++ b/include/uapi/linux/sctp.h > > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t; > > #define SCTP_RESET_ASSOC 120 > > #define SCTP_ADD_STREAMS 121 > > #define SCTP_SOCKOPT_PEELOFF_FLAGS 122 > > +#define SCTP_SENDMSG_CONNECT 123 > > > > /* PR-SCTP policies */ > > #define SCTP_PR_SCTP_NONE 0x > > diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c > > index 6110447..ca4705b 100644 > > --- a/net/sctp/sm_make_chunk.c > > +++ b/net/sctp/sm_make_chunk.c > > @@ -3059,6 +3059,12 @@ static __be16 sctp_process_asconf_param(struct > > sctp_association *asoc, > > if (af->is_any()) > > memcpy(, >source, sizeof(addr)); > > > > + if (security_sctp_bind_connect(asoc->ep->base.sk, > > + SCTP_PARAM_ADD_IP, > > + (struct sockaddr *), > > + af->sockaddr_len)) > > + return SCTP_ERROR_REQ_REFUSED; > > + > > /* ADDIP 4.3 D9) If an endpoint receives an ADD IP address > > * request and does not have the local resources to add this > > * new address to the association, it MUST return an Error > > @@ -3125,6 +3131,12 @@ static __be16 sctp_process_asconf_param(struct > > sctp_association *asoc, > > if (af->is_any()) > > memcpy(, sctp_source(asconf), sizeof(addr)); > > > > + if (security_sctp_bind_connect(asoc->ep->base.sk, > > + SCTP_PARAM_SET_PRIMARY, > > + (struct sockaddr *), > > + af->sockaddr_len)) > > + return SCTP_ERROR_REQ_REFUSED; > > + > > peer = sctp_assoc_lookup_paddr(asoc, ); > > if (!peer) > > return SCTP_ERROR_DNS_FAILED; > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c > > index b2a74c3..4ba5805 100644 > > --- a/net/sctp/sm_statefuns.c > > +++ b/net/sctp/sm_statefuns.c > > @@ -314,6 +314,11 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net > > *net, > > sctp_unrecognized_param_t *unk_param; > > int len; > > > > + /* Update socket peer label if first association. */ > > + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, > > + chunk->skb, SCTP_CID_INIT)) > > + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); > > + > > /* 6.10 Bundling > > * An endpoint MUST NOT bundle INIT, INIT ACK or > > * SHUTDOWN COMPLETE with any other chunks. > > @@ -446,7 +451,6 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net, > > } > > > > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); > > - > > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); > > > > /* > > @@ -507,6 +511,11 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net, > > struct sctp_chunk *err_chunk; > > struct sctp_packet *packet; > > > > + /* Update socket peer label if first association. */ > > + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, > > +