Re: [PATCH V8 2/4] sctp: Add ip option support

2018-02-27 Thread Neil Horman 
On Mon, Feb 26, 2018 at 05:48:48PM -0500, Paul Moore wrote:
> On Sat, Feb 24, 2018 at 11:18 AM, Richard Haines
>  wrote:
> > Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
> > and CALIPSO/IPv6 services.
> >
> > Signed-off-by: Richard Haines 
> > ---
> > All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
> > All "./sctp-tests run" obtained from: https://github.com/sctp/sctp-tests
> > pass.
> >
> > V7 Changes:
> > 1) Log when copy ip options fail for IPv4 and IPv6
> > 2) Correct sctp_setsockopt_maxseg() function. Note that the lksctp-tools
> > func_tests do not test with struct sctp_assoc_value. Just used simple test
> > and okay.
> > 3) Move calculation of overheads to sctp_packet_config().
> > NOTE: Initially in sctp_packet_reset() I set packet->size and
> > packet->overhead to zero (as it is a reset). This was okay for all the
> > lksctp-tools function tests, however when running "sctp-tests" ndatshched
> > tests it causes these to fail with an st_s.log entry of:
> > sid: 3, expected: 3
> > sid: 3, expected: 3
> > unexpected sid packet !!!
> > sid: 1, expected: 3
> >
> > I then found sctp_packet_transmit() relies on setting
> > "packet->size = packet->overhead;" to reset size to the current overhead
> > after sending packets, hence the comment in sctp_packet_reset()
> >
> > V8 Change:
> > Fix sparse warning:
> > net/sctp/protocol.c:269:28: sparse: dereference of noderef expression
> > highlighted in [1] for sctp_v4_ip_options_len() function.
> >
> > [1] https://lists.01.org/pipermail/kbuild-all/2018-February/043695.html
> >
> >  include/net/sctp/sctp.h|  4 +++-
> >  include/net/sctp/structs.h |  2 ++
> >  net/sctp/chunk.c   | 10 +++---
> >  net/sctp/ipv6.c| 45 
> > ++---
> >  net/sctp/output.c  | 34 +-
> >  net/sctp/protocol.c| 43 +++
> >  net/sctp/socket.c  | 11 ---
> >  7 files changed, 122 insertions(+), 27 deletions(-)
> 
> Thanks Richard.
> 
> Neil and Marcelo, I transfered your acked-by to this patch, if you've
> got any objections to that please let me know.
> 
I'm also fine with the transfer, thanks for checking!
Neil

Re: [PATCH V7 2/4] sctp: Add ip option support

2018-02-21 Thread Neil Horman 
ned
>   if (val) {
>   int min_len, max_len;
>  
> - min_len = SCTP_DEFAULT_MINSEGMENT - sp->pf->af->net_header_len;
> + min_len = SCTP_DEFAULT_MINSEGMENT - af->net_header_len;
> +     min_len -= af->ip_options_len(sk);
>   min_len -= sizeof(struct sctphdr) +
>  sizeof(struct sctp_data_chunk);
>  
> @@ -3175,7 +3177,8 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char 
> __user *optval, unsigned
>   asoc = sctp_id2assoc(sk, params.assoc_id);
>   if (asoc) {
>   if (val == 0) {
> - val = asoc->pathmtu - sp->pf->af->net_header_len;
> + val = asoc->pathmtu - af->net_header_len;
> + val -= af->ip_options_len(sk);
>   val -= sizeof(struct sctphdr) +
>  sctp_datachk_len(>stream);
>   }
> @@ -5087,9 +5090,11 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, 
> struct socket **sockp)
>   sctp_copy_sock(sock->sk, sk, asoc);
>  
>   /* Make peeled-off sockets more like 1-1 accepted sockets.
> -  * Set the daddr and initialize id to something more random
> +  * Set the daddr and initialize id to something more random and also
> +  * copy over any ip options.
>*/
>   sp->pf->to_sk_daddr(>peer.primary_addr, sk);
> + sp->pf->copy_ip_options(sk, sock->sk);
>  
>   /* Populate the fields of the newsk from the oldsk and migrate the
>* asoc to the newsk.
> -- 
> 2.14.3
> 
> 
I think this makes a good bit more sense, thanks for the extra pass
Acked-by: Neil Horman <nhor...@tuxdriver.com>

Re: [PATCH V6 2/4] sctp: Add ip option support

2018-02-20 Thread Neil Horman 
On Fri, Feb 16, 2018 at 07:51:02PM -0200, Marcelo Ricardo Leitner wrote:
> On Fri, Feb 16, 2018 at 03:14:35PM -0500, Neil Horman wrote:
> > On Fri, Feb 16, 2018 at 10:56:07AM -0200, Marcelo Ricardo Leitner wrote:
> > > On Thu, Feb 15, 2018 at 09:15:40AM -0500, Neil Horman wrote:
> > > > On Tue, Feb 13, 2018 at 08:54:44PM +, Richard Haines wrote:
> > > > > Add ip option support to allow LSM security modules to utilise 
> > > > > CIPSO/IPv4
> > > > > and CALIPSO/IPv6 services.
> > > > > 
> > > > > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > > > > ---
> > > > >  include/net/sctp/sctp.h|  4 +++-
> > > > >  include/net/sctp/structs.h |  2 ++
> > > > >  net/sctp/chunk.c   | 12 +++-
> > > > >  net/sctp/ipv6.c| 42 
> > > > > +++---
> > > > >  net/sctp/output.c  |  5 -
> > > > >  net/sctp/protocol.c| 36 
> > > > >  net/sctp/socket.c  | 14 ++
> > > > >  7 files changed, 97 insertions(+), 18 deletions(-)
> > > > > 
> > > > > diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
> > > > > index f7ae6b0..25c5c87 100644
> > > > > --- a/include/net/sctp/sctp.h
> > > > > +++ b/include/net/sctp/sctp.h
> > > > > @@ -441,9 +441,11 @@ static inline int sctp_list_single_entry(struct 
> > > > > list_head *head)
> > > > >  static inline int sctp_frag_point(const struct sctp_association 
> > > > > *asoc, int pmtu)
> > > > >  {
> > > > >   struct sctp_sock *sp = sctp_sk(asoc->base.sk);
> > > > > + struct sctp_af *af = sp->pf->af;
> > > > >   int frag = pmtu;
> > > > >  
> > > > > - frag -= sp->pf->af->net_header_len;
> > > > > + frag -= af->ip_options_len(asoc->base.sk);
> > > > > + frag -= af->net_header_len;
> > > > >   frag -= sizeof(struct sctphdr) + 
> > > > > sctp_datachk_len(>stream);
> > > > >  
> > > > >   if (asoc->user_frag)
> > > > > diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
> > > > > index 03e92dd..ead5fce 100644
> > > > > --- a/include/net/sctp/structs.h
> > > > > +++ b/include/net/sctp/structs.h
> > > > > @@ -491,6 +491,7 @@ struct sctp_af {
> > > > >   void(*ecn_capable)(struct sock *sk);
> > > > >   __u16   net_header_len;
> > > > >   int sockaddr_len;
> > > > > + int (*ip_options_len)(struct sock *sk);
> > > > >   sa_family_t sa_family;
> > > > >   struct list_head list;
> > > > >  };
> > > > > @@ -515,6 +516,7 @@ struct sctp_pf {
> > > > >   int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr 
> > > > > *addr);
> > > > >   void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
> > > > >   void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
> > > > > + void (*copy_ip_options)(struct sock *sk, struct sock *newsk);
> > > > >   struct sctp_af *af;
> > > > >  };
> > > > >  
> > > > > diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
> > > > > index 991a530..d5c0ef7 100644
> > > > > --- a/net/sctp/chunk.c
> > > > > +++ b/net/sctp/chunk.c
> > > > > @@ -154,7 +154,6 @@ static void sctp_datamsg_assign(struct 
> > > > > sctp_datamsg *msg, struct sctp_chunk *chu
> > > > >   chunk->msg = msg;
> > > > >  }
> > > > >  
> > > > > -
> > > > >  /* A data chunk can have a maximum payload of (2^16 - 20).  Break
> > > > >   * down any such message into smaller chunks.  Opportunistically, 
> > > > > fragment
> > > > >   * the chunks down to the current MTU constraints.  We may get 
> > > > > refragmented
> > > > > @@ -171,6 +170,8 @@ struct sctp_datamsg 
> > > > > *sctp_datamsg_from_user(struct sctp_association *asoc,
> > > > >   struct list_head *pos, *temp;
> > > > >   struct sctp_chunk *ch

Re: [PATCH V6 2/4] sctp: Add ip option support

2018-02-20 Thread Neil Horman 
On Sun, Feb 18, 2018 at 01:44:42PM +, Richard Haines wrote:
> On Fri, 2018-02-16 at 23:28 -0500, Neil Horman wrote:
> > On Fri, Feb 16, 2018 at 07:51:02PM -0200, Marcelo Ricardo Leitner
> > wrote:
> > > On Fri, Feb 16, 2018 at 03:14:35PM -0500, Neil Horman wrote:
> > > > On Fri, Feb 16, 2018 at 10:56:07AM -0200, Marcelo Ricardo Leitner
> > > > wrote:
> > > > > On Thu, Feb 15, 2018 at 09:15:40AM -0500, Neil Horman wrote:
> > > > > > On Tue, Feb 13, 2018 at 08:54:44PM +, Richard Haines
> > > > > > wrote:
> > > > > > > Add ip option support to allow LSM security modules to
> > > > > > > utilise CIPSO/IPv4
> > > > > > > and CALIPSO/IPv6 services.
> > > > > > > 
> > > > > > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.
> > > > > > > com>
> > > > > > > ---
> > > > > > >  include/net/sctp/sctp.h|  4 +++-
> > > > > > >  include/net/sctp/structs.h |  2 ++
> > > > > > >  net/sctp/chunk.c   | 12 +++-
> > > > > > >  net/sctp/ipv6.c| 42
> > > > > > > +++---
> > > > > > >  net/sctp/output.c  |  5 -
> > > > > > >  net/sctp/protocol.c| 36
> > > > > > > 
> > > > > > >  net/sctp/socket.c  | 14 ++
> > > > > > >  7 files changed, 97 insertions(+), 18 deletions(-)
> > > > > > > 
> > > > > > > diff --git a/include/net/sctp/sctp.h
> > > > > > > b/include/net/sctp/sctp.h
> > > > > > > index f7ae6b0..25c5c87 100644
> > > > > > > --- a/include/net/sctp/sctp.h
> > > > > > > +++ b/include/net/sctp/sctp.h
> > > > > > > @@ -441,9 +441,11 @@ static inline int
> > > > > > > sctp_list_single_entry(struct list_head *head)
> > > > > > >  static inline int sctp_frag_point(const struct
> > > > > > > sctp_association *asoc, int pmtu)
> > > > > > >  {
> > > > > > >   struct sctp_sock *sp = sctp_sk(asoc->base.sk);
> > > > > > > + struct sctp_af *af = sp->pf->af;
> > > > > > >   int frag = pmtu;
> > > > > > >  
> > > > > > > - frag -= sp->pf->af->net_header_len;
> > > > > > > + frag -= af->ip_options_len(asoc->base.sk);
> > > > > > > + frag -= af->net_header_len;
> > > > > > >   frag -= sizeof(struct sctphdr) +
> > > > > > > sctp_datachk_len(>stream);
> > > > > > >  
> > > > > > >   if (asoc->user_frag)
> > > > > > > diff --git a/include/net/sctp/structs.h
> > > > > > > b/include/net/sctp/structs.h
> > > > > > > index 03e92dd..ead5fce 100644
> > > > > > > --- a/include/net/sctp/structs.h
> > > > > > > +++ b/include/net/sctp/structs.h
> > > > > > > @@ -491,6 +491,7 @@ struct sctp_af {
> > > > > > >   void(*ecn_capable)(struct sock
> > > > > > > *sk);
> > > > > > >   __u16   net_header_len;
> > > > > > >   int sockaddr_len;
> > > > > > > + int (*ip_options_len)(struct sock
> > > > > > > *sk);
> > > > > > >   sa_family_t sa_family;
> > > > > > >   struct list_head list;
> > > > > > >  };
> > > > > > > @@ -515,6 +516,7 @@ struct sctp_pf {
> > > > > > >   int (*addr_to_user)(struct sctp_sock *sk, union
> > > > > > > sctp_addr *addr);
> > > > > > >   void (*to_sk_saddr)(union sctp_addr *, struct sock
> > > > > > > *sk);
> > > > > > >   void (*to_sk_daddr)(union sctp_addr *, struct sock
> > > > > > > *sk);
> > > > > > > + void (*copy_ip_options)(struct sock *sk, struct
> > > > > > > sock *newsk);
> > > > > > >   struct sctp_af *af;
> > > > > > >  };
> > > > > > >  
> > > > > > > diff --git a/net/sctp/chunk.c b/net/sctp/chunk.

Re: [PATCH V6 2/4] sctp: Add ip option support

2018-02-16 Thread Neil Horman 
On Fri, Feb 16, 2018 at 10:56:07AM -0200, Marcelo Ricardo Leitner wrote:
> On Thu, Feb 15, 2018 at 09:15:40AM -0500, Neil Horman wrote:
> > On Tue, Feb 13, 2018 at 08:54:44PM +, Richard Haines wrote:
> > > Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
> > > and CALIPSO/IPv6 services.
> > > 
> > > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > > ---
> > >  include/net/sctp/sctp.h|  4 +++-
> > >  include/net/sctp/structs.h |  2 ++
> > >  net/sctp/chunk.c   | 12 +++-
> > >  net/sctp/ipv6.c| 42 
> > > +++---
> > >  net/sctp/output.c  |  5 -
> > >  net/sctp/protocol.c| 36 
> > >  net/sctp/socket.c  | 14 ++
> > >  7 files changed, 97 insertions(+), 18 deletions(-)
> > > 
> > > diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
> > > index f7ae6b0..25c5c87 100644
> > > --- a/include/net/sctp/sctp.h
> > > +++ b/include/net/sctp/sctp.h
> > > @@ -441,9 +441,11 @@ static inline int sctp_list_single_entry(struct 
> > > list_head *head)
> > >  static inline int sctp_frag_point(const struct sctp_association *asoc, 
> > > int pmtu)
> > >  {
> > >   struct sctp_sock *sp = sctp_sk(asoc->base.sk);
> > > + struct sctp_af *af = sp->pf->af;
> > >   int frag = pmtu;
> > >  
> > > - frag -= sp->pf->af->net_header_len;
> > > + frag -= af->ip_options_len(asoc->base.sk);
> > > + frag -= af->net_header_len;
> > >   frag -= sizeof(struct sctphdr) + sctp_datachk_len(>stream);
> > >  
> > >   if (asoc->user_frag)
> > > diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
> > > index 03e92dd..ead5fce 100644
> > > --- a/include/net/sctp/structs.h
> > > +++ b/include/net/sctp/structs.h
> > > @@ -491,6 +491,7 @@ struct sctp_af {
> > >   void(*ecn_capable)(struct sock *sk);
> > >   __u16   net_header_len;
> > >   int sockaddr_len;
> > > + int (*ip_options_len)(struct sock *sk);
> > >   sa_family_t sa_family;
> > >   struct list_head list;
> > >  };
> > > @@ -515,6 +516,7 @@ struct sctp_pf {
> > >   int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr *addr);
> > >   void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
> > >   void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
> > > + void (*copy_ip_options)(struct sock *sk, struct sock *newsk);
> > >   struct sctp_af *af;
> > >  };
> > >  
> > > diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
> > > index 991a530..d5c0ef7 100644
> > > --- a/net/sctp/chunk.c
> > > +++ b/net/sctp/chunk.c
> > > @@ -154,7 +154,6 @@ static void sctp_datamsg_assign(struct sctp_datamsg 
> > > *msg, struct sctp_chunk *chu
> > >   chunk->msg = msg;
> > >  }
> > >  
> > > -
> > >  /* A data chunk can have a maximum payload of (2^16 - 20).  Break
> > >   * down any such message into smaller chunks.  Opportunistically, 
> > > fragment
> > >   * the chunks down to the current MTU constraints.  We may get 
> > > refragmented
> > > @@ -171,6 +170,8 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
> > > sctp_association *asoc,
> > >   struct list_head *pos, *temp;
> > >   struct sctp_chunk *chunk;
> > >   struct sctp_datamsg *msg;
> > > + struct sctp_sock *sp;
> > > + struct sctp_af *af;
> > >   int err;
> > >  
> > >   msg = sctp_datamsg_new(GFP_KERNEL);
> > > @@ -189,9 +190,11 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
> > > sctp_association *asoc,
> > >   /* This is the biggest possible DATA chunk that can fit into
> > >* the packet
> > >*/
> > > - max_data = asoc->pathmtu -
> > > -sctp_sk(asoc->base.sk)->pf->af->net_header_len -
> > > -sizeof(struct sctphdr) - sctp_datachk_len(>stream);
> > > + sp = sctp_sk(asoc->base.sk);
> > > + af = sp->pf->af;
> > > + max_data = asoc->pathmtu - af->net_header_len -
> > > +sizeof(struct sctphdr) - sctp_datachk_len(>stream) -
> > > +af->ip_options_len(asoc->base.sk);
> > >   max_data = SCTP_TRUNC4(max_data);
> &g

Re: [PATCH V6 0/4] Add SELinux SCTP protocol support

2018-02-15 Thread Neil Horman 
On Wed, Feb 14, 2018 at 02:19:03PM -0500, Paul Moore wrote:
> On Tue, Feb 13, 2018 at 3:52 PM, Richard Haines
>  wrote:
> > These patches have been built on Fedora 27 with kernel-4.16.0-0.rc1 plus
> > the following userspace patches to enable testing:
> >
> > 1) Updates to libsepol 2.7 to support the sctp portcon statement.
> >The patch is available from:
> >  http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
> >  selinux-Add-support-for-the-SCTP-portcon-keyword.patch
> >
> > 2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
> >selinux-testsuite/README.sctp for details. The patch is available from:
> >  http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
> >  selinux-testsuite-Add-SCTP-test-support.patch
> >
> > 3) Updates to lksctp-tools that show SELinux info in sctp_darn and
> >sctp_test. It also contains a minor patch for test_1_to_1_connect.c
> >as when CIPSO/CALIPSO configured, NetLabel returns a different error
> >code for illegal addresses in test 5. The patch is available from:
> >  http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
> >  lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch
> >
> > All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
> >
> > All SCTP regression tests "./sctp-tests run" run correctly in enforcing
> > mode. These tests are obtained from: https://github.com/sctp/sctp-tests
> >
> > The selinux-testsuite patch also adds remote tests (that need some manual
> > configuration). These are useful for testing CIPSO/CALIPSO over a network
> > with a number of categories to produce large ip option fields with various
> > message sizes forcing fragmentation etc..
> >
> > Changes since RFC Patch:
> > Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support)
> > as re-engineered. However this patchset will require the NetLabel
> > patch at [1] to fully run the SCTP selinux-testsuite.
> >
> > V1 Changes:
> > PATCH 1/4
> > Remove unused parameter from security_sctp_assoc_request().
> > Reformat and update LSM-sctp.rst documentation.
> > PATCH 2/4
> > Add variables and RCU locks as requested in [2] to support IP options.
> > PATCH 3/4
> > Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init()
> > and sctp_sf_do_5_2_4_dupcook().
> > Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as
> > no longer required.
> > PATCH 4/4
> > Reformat and update SELinux-sctp.rst documentation.
> > Remove bindx and connectx permissions.
> > Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to
> > utilise helpers for code reuse.
> > Add spinlock to selinux_sctp_assoc_request().
> > Remove unused parameter from security_sctp_assoc_request().
> > Use address->sa_family == AF_INET in *_bind and *_connect to ensure
> > correct address type.
> > Minor cleanups.
> >
> > V2 Changes:
> > PATCH 4/4 - Remove spin lock from selinux_sctp_assoc_request()
> > PATCH 4/4 - Fix selinux_sctp_sk_clone() kbuild test robot catch [3]
> >
> > V3 Changes:
> > PATCH 2/4 - Account for IP options length in sctp.h sctp_frag_point() by
> > Marcelo
> >
> > V4 Changes:
> > PATCH 1/4 - Move specific SELinux descriptions from LSM-sctp.rst and
> > lsm_hooks.h to SELinux-sctp.rst in PATCH 4/4
> > PATCH 4/4 - Rename selinux_netlbl_sctp_socket_connect() to
> > selinux_netlbl_socket_connect_locked() and move description comments to
> > selinux_sctp_bind_connect()
> >
> > V5 Change: Rework selinux_netlbl_socket_connect() and
> > selinux_netlbl_socket_connect_locked as requested by Paul.
> >
> > V6 Changes:
> > Rework SCTP patches 2/4 and 3/4 as there have been major SCTP updates since
> > kernel 4.14.
> >
> > [1] https://marc.info/?l=selinux=151061619115945=2
> > [2] https://marc.info/?l=selinux=150962470215797=2
> > [3] https://marc.info/?l=selinux=151198281817779=2
> >
> > Richard Haines (4):
> >   security: Add support for SCTP security hooks
> >   sctp: Add ip option support
> >   sctp: Add LSM hooks
> >   selinux: Add SCTP support
> 
> Marcelo, or any other SCTP folks, do the SCTP changes still look okay
> to you?  I'd like to merge these into the selinux/next tree by the end
> of the week ...
> 
I had a few comments that I just posted.
Neil

> -- 
> paul moore
> www.paul-moore.com
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: [PATCH V6 2/4] sctp: Add ip option support

2018-02-15 Thread Neil Horman 
On Tue, Feb 13, 2018 at 08:54:44PM +, Richard Haines wrote:
> Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
> and CALIPSO/IPv6 services.
> 
> Signed-off-by: Richard Haines 
> ---
>  include/net/sctp/sctp.h|  4 +++-
>  include/net/sctp/structs.h |  2 ++
>  net/sctp/chunk.c   | 12 +++-
>  net/sctp/ipv6.c| 42 +++---
>  net/sctp/output.c  |  5 -
>  net/sctp/protocol.c| 36 
>  net/sctp/socket.c  | 14 ++
>  7 files changed, 97 insertions(+), 18 deletions(-)
> 
> diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
> index f7ae6b0..25c5c87 100644
> --- a/include/net/sctp/sctp.h
> +++ b/include/net/sctp/sctp.h
> @@ -441,9 +441,11 @@ static inline int sctp_list_single_entry(struct 
> list_head *head)
>  static inline int sctp_frag_point(const struct sctp_association *asoc, int 
> pmtu)
>  {
>   struct sctp_sock *sp = sctp_sk(asoc->base.sk);
> + struct sctp_af *af = sp->pf->af;
>   int frag = pmtu;
>  
> - frag -= sp->pf->af->net_header_len;
> + frag -= af->ip_options_len(asoc->base.sk);
> + frag -= af->net_header_len;
>   frag -= sizeof(struct sctphdr) + sctp_datachk_len(>stream);
>  
>   if (asoc->user_frag)
> diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
> index 03e92dd..ead5fce 100644
> --- a/include/net/sctp/structs.h
> +++ b/include/net/sctp/structs.h
> @@ -491,6 +491,7 @@ struct sctp_af {
>   void(*ecn_capable)(struct sock *sk);
>   __u16   net_header_len;
>   int sockaddr_len;
> + int (*ip_options_len)(struct sock *sk);
>   sa_family_t sa_family;
>   struct list_head list;
>  };
> @@ -515,6 +516,7 @@ struct sctp_pf {
>   int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr *addr);
>   void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
>   void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
> + void (*copy_ip_options)(struct sock *sk, struct sock *newsk);
>   struct sctp_af *af;
>  };
>  
> diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
> index 991a530..d5c0ef7 100644
> --- a/net/sctp/chunk.c
> +++ b/net/sctp/chunk.c
> @@ -154,7 +154,6 @@ static void sctp_datamsg_assign(struct sctp_datamsg *msg, 
> struct sctp_chunk *chu
>   chunk->msg = msg;
>  }
>  
> -
>  /* A data chunk can have a maximum payload of (2^16 - 20).  Break
>   * down any such message into smaller chunks.  Opportunistically, fragment
>   * the chunks down to the current MTU constraints.  We may get refragmented
> @@ -171,6 +170,8 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
> sctp_association *asoc,
>   struct list_head *pos, *temp;
>   struct sctp_chunk *chunk;
>   struct sctp_datamsg *msg;
> + struct sctp_sock *sp;
> + struct sctp_af *af;
>   int err;
>  
>   msg = sctp_datamsg_new(GFP_KERNEL);
> @@ -189,9 +190,11 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
> sctp_association *asoc,
>   /* This is the biggest possible DATA chunk that can fit into
>* the packet
>*/
> - max_data = asoc->pathmtu -
> -sctp_sk(asoc->base.sk)->pf->af->net_header_len -
> -sizeof(struct sctphdr) - sctp_datachk_len(>stream);
> + sp = sctp_sk(asoc->base.sk);
> + af = sp->pf->af;
> + max_data = asoc->pathmtu - af->net_header_len -
> +sizeof(struct sctphdr) - sctp_datachk_len(>stream) -
> +af->ip_options_len(asoc->base.sk);
>   max_data = SCTP_TRUNC4(max_data);
>  
>   /* If the the peer requested that we authenticate DATA chunks
> @@ -211,7 +214,6 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
> sctp_association *asoc,
>  
>   /* Set first_len and then account for possible bundles on first frag */
>   first_len = max_data;
> -
>   /* Check to see if we have a pending SACK and try to let it be bundled
>* with this message.  Do this if we don't have any data queued already.
>* To check that, look at out_qlen and retransmit list.
> diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
> index e35d4f7..0b0f895 100644
> --- a/net/sctp/ipv6.c
> +++ b/net/sctp/ipv6.c
> @@ -427,6 +427,38 @@ static void sctp_v6_copy_addrlist(struct list_head 
> *addrlist,
>   rcu_read_unlock();
>  }
>  
> +/* Copy over any ip options */
> +static void sctp_v6_copy_ip_options(struct sock *sk, struct sock *newsk)
> +{
> + struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
> + struct ipv6_txoptions *opt;
> +
> + newnp = inet6_sk(newsk);
> +
> + rcu_read_lock();
> + opt = rcu_dereference(np->opt);
> + if (opt)
> + opt = ipv6_dup_options(newsk, opt);
do you want to print a warning here in the event the allocation
for the dup operation fails?

> + RCU_INIT_POINTER(newnp->opt, opt);

Re: PATCH V5 4/4] selinux: Add SCTP support

2018-01-12 Thread Neil Horman 
ck,
>   * Returns zero values on success, negative values on failure.
>   *
>   */
> -int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
> +static int selinux_netlbl_socket_connect_helper(struct sock *sk,
> + struct sockaddr *addr)
>  {
>   int rc;
>   struct sk_security_struct *sksec = sk->sk_security;
>   struct netlbl_lsm_secattr *secattr;
>  
> - if (sksec->nlbl_state != NLBL_REQSKB &&
> - sksec->nlbl_state != NLBL_CONNLABELED)
> - return 0;
> -
> - lock_sock(sk);
> -
>   /* connected sockets are allowed to disconnect when the address family
>* is set to AF_UNSPEC, if that is what is happening we want to reset
>* the socket */
> @@ -498,18 +566,61 @@ int selinux_netlbl_socket_connect(struct sock *sk, 
> struct sockaddr *addr)
>   netlbl_sock_delattr(sk);
>   sksec->nlbl_state = NLBL_REQSKB;
>   rc = 0;
> - goto socket_connect_return;
> + return rc;
>   }
>   secattr = selinux_netlbl_sock_genattr(sk);
>   if (secattr == NULL) {
>   rc = -ENOMEM;
> - goto socket_connect_return;
> + return rc;
>   }
>   rc = netlbl_conn_setattr(sk, addr, secattr);
>   if (rc == 0)
>   sksec->nlbl_state = NLBL_CONNLABELED;
>  
> -socket_connect_return:
> + return rc;
> +}
> +
> +/**
> + * selinux_netlbl_socket_connect_locked - Label a client-side socket on
> + * connect
> + * @sk: the socket to label
> + * @addr: the destination address
> + *
> + * Description:
> + * Attempt to label a connected socket that already has the socket locked
> + * with NetLabel using the given address.
> + * Returns zero values on success, negative values on failure.
> + *
> + */
> +int selinux_netlbl_socket_connect_locked(struct sock *sk,
> +  struct sockaddr *addr)
> +{
> + struct sk_security_struct *sksec = sk->sk_security;
> +
> + if (sksec->nlbl_state != NLBL_REQSKB &&
> + sksec->nlbl_state != NLBL_CONNLABELED)
> + return 0;
> +
> + return selinux_netlbl_socket_connect_helper(sk, addr);
> +}
> +
> +/**
> + * selinux_netlbl_socket_connect - Label a client-side socket on connect
> + * @sk: the socket to label
> + * @addr: the destination address
> + *
> + * Description:
> + * Attempt to label a connected socket with NetLabel using the given address.
> + * Returns zero values on success, negative values on failure.
> + *
> + */
> +int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
> +{
> + int rc;
> +
> + lock_sock(sk);
> + rc = selinux_netlbl_socket_connect_locked(sk, addr);
>   release_sock(sk);
> +
>   return rc;
>  }
> -- 
> 2.14.3
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
Acked-by: Neil Horman <nhor...@tuxdriver.com>

Re: [RFC PATCH 3/5] sctp: Add LSM hooks

2017-10-20 Thread Neil Horman 
On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
>  wrote:
> > Add security hooks to allow security modules to exercise access control
> > over SCTP.
> >
> > Signed-off-by: Richard Haines 
> > ---
> >  include/net/sctp/structs.h | 10 
> >  include/uapi/linux/sctp.h  |  1 +
> >  net/sctp/sm_make_chunk.c   | 12 +
> >  net/sctp/sm_statefuns.c| 14 ++-
> >  net/sctp/socket.c  | 61 
> > +-
> >  5 files changed, 96 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
> > index 7767577..6e72e3e 100644
> > --- a/include/net/sctp/structs.h
> > +++ b/include/net/sctp/structs.h
> > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> >   reconf_enable:1;
> >
> > __u8  strreset_enable;
> > +
> > +   /* Security identifiers from incoming (INIT). These are set by
> > +* security_sctp_assoc_request(). These will only be used by
> > +* SCTP TCP type sockets and peeled off connections as they
> > +* cause a new socket to be generated. security_sctp_sk_clone()
> > +* will then plug these into the new socket.
> > +*/
> > +
> > +   u32 secid;
> > +   u32 peer_secid;
> >  };
> >
> >  /* Recover the outter endpoint structure. */
> > diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
> > index 6217ff8..c04812f 100644
> > --- a/include/uapi/linux/sctp.h
> > +++ b/include/uapi/linux/sctp.h
> > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> >  #define SCTP_RESET_ASSOC   120
> >  #define SCTP_ADD_STREAMS   121
> >  #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> > +#define SCTP_SENDMSG_CONNECT   123
> >
> >  /* PR-SCTP policies */
> >  #define SCTP_PR_SCTP_NONE  0x
> > diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> > index 6110447..ca4705b 100644
> > --- a/net/sctp/sm_make_chunk.c
> > +++ b/net/sctp/sm_make_chunk.c
> > @@ -3059,6 +3059,12 @@ static __be16 sctp_process_asconf_param(struct 
> > sctp_association *asoc,
> > if (af->is_any())
> > memcpy(, >source, sizeof(addr));
> >
> > +   if (security_sctp_bind_connect(asoc->ep->base.sk,
> > +  SCTP_PARAM_ADD_IP,
> > +  (struct sockaddr *),
> > +  af->sockaddr_len))
> > +   return SCTP_ERROR_REQ_REFUSED;
> > +
> > /* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
> >  * request and does not have the local resources to add this
> >  * new address to the association, it MUST return an Error
> > @@ -3125,6 +3131,12 @@ static __be16 sctp_process_asconf_param(struct 
> > sctp_association *asoc,
> > if (af->is_any())
> > memcpy(, sctp_source(asconf), sizeof(addr));
> >
> > +   if (security_sctp_bind_connect(asoc->ep->base.sk,
> > +  SCTP_PARAM_SET_PRIMARY,
> > +  (struct sockaddr *),
> > +  af->sockaddr_len))
> > +   return SCTP_ERROR_REQ_REFUSED;
> > +
> > peer = sctp_assoc_lookup_paddr(asoc, );
> > if (!peer)
> > return SCTP_ERROR_DNS_FAILED;
> > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> > index b2a74c3..4ba5805 100644
> > --- a/net/sctp/sm_statefuns.c
> > +++ b/net/sctp/sm_statefuns.c
> > @@ -314,6 +314,11 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net 
> > *net,
> > sctp_unrecognized_param_t *unk_param;
> > int len;
> >
> > +   /* Update socket peer label if first association. */
> > +   if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> > +   chunk->skb, SCTP_CID_INIT))
> > +   return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> > +
> > /* 6.10 Bundling
> >  * An endpoint MUST NOT bundle INIT, INIT ACK or
> >  * SHUTDOWN COMPLETE with any other chunks.
> > @@ -446,7 +451,6 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
> > }
> >
> > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
> > -
> > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
> >
> > /*
> > @@ -507,6 +511,11 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
> > struct sctp_chunk *err_chunk;
> > struct sctp_packet *packet;
> >
> > +   /* Update socket peer label if first association. */
> > +   if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> > +