dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
Initially, commit4237c75c0a
("[MLSXFRM]: Auto-labeling of child sockets") introduced security_inet_conn_request() in some functions where reqsk is allocated. The hook is added just after the allocation, so reqsk's IPv6 remote address was not initialised then. However, SELinux/Smack started to read it in netlbl_req_setattr() after commite1adea9270
("calipso: Allow request sockets to be relabelled by the lsm."). Commit284904aa79
("lsm: Relocate the IPv4 security_inet_conn_request() hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was not supported at that time. Finally, the same issue was introduced again in IPv6. Let's apply the same fix on DCCPv6 and TCPv6. Fixes:e1adea9270
("calipso: Allow request sockets to be relabelled by the lsm.") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
parent
fa2df45af1
commit
23be1e0e2a
@ -360,15 +360,15 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
|
|||||||
if (dccp_parse_options(sk, dreq, skb))
|
if (dccp_parse_options(sk, dreq, skb))
|
||||||
goto drop_and_free;
|
goto drop_and_free;
|
||||||
|
|
||||||
if (security_inet_conn_request(sk, skb, req))
|
|
||||||
goto drop_and_free;
|
|
||||||
|
|
||||||
ireq = inet_rsk(req);
|
ireq = inet_rsk(req);
|
||||||
ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
|
ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
|
||||||
ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
|
ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
|
||||||
ireq->ireq_family = AF_INET6;
|
ireq->ireq_family = AF_INET6;
|
||||||
ireq->ir_mark = inet_request_mark(sk, skb);
|
ireq->ir_mark = inet_request_mark(sk, skb);
|
||||||
|
|
||||||
|
if (security_inet_conn_request(sk, skb, req))
|
||||||
|
goto drop_and_free;
|
||||||
|
|
||||||
if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
|
if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
|
||||||
np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
|
np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
|
||||||
np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
|
np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
|
||||||
|
@ -181,14 +181,15 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
|
|||||||
treq = tcp_rsk(req);
|
treq = tcp_rsk(req);
|
||||||
treq->tfo_listener = false;
|
treq->tfo_listener = false;
|
||||||
|
|
||||||
if (security_inet_conn_request(sk, skb, req))
|
|
||||||
goto out_free;
|
|
||||||
|
|
||||||
req->mss = mss;
|
req->mss = mss;
|
||||||
ireq->ir_rmt_port = th->source;
|
ireq->ir_rmt_port = th->source;
|
||||||
ireq->ir_num = ntohs(th->dest);
|
ireq->ir_num = ntohs(th->dest);
|
||||||
ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
|
ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
|
||||||
ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
|
ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
|
||||||
|
|
||||||
|
if (security_inet_conn_request(sk, skb, req))
|
||||||
|
goto out_free;
|
||||||
|
|
||||||
if (ipv6_opt_accepted(sk, skb, &TCP_SKB_CB(skb)->header.h6) ||
|
if (ipv6_opt_accepted(sk, skb, &TCP_SKB_CB(skb)->header.h6) ||
|
||||||
np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
|
np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
|
||||||
np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
|
np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
|
||||||
|
Loading…
Reference in New Issue
Block a user