selinux/stable-5.16 PR 20211112

-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmGO6qEUHHBhdWxAcGF1
 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXOBLhAAlcQQnj1Rqkle+c3qnJLshq7/ZU12
 xr4R7OxAsGlQfAsQzJZLBrZhgu9LtZeLx5wSCYyJKJrWvpFQ5nhwzFAybq3qiWNf
 jh0hVTij9WNoDqFP58nUTAmhNH4qqkVvT4qu0Vulnfx7nuyDFF+nJKtpAnVC+Jgo
 84uHx2ehjU/FNq+UCnIOstgu62zjJ8YalKKZmyREQn80tWR73sRz47NO+vGqXoER
 /Pub67jKKc7CnbxCJODX8mhWf3f+usa7myl+z2xPDj32e17eR/QXU3ZmTR7w+SpH
 49TNYIeOyrapD+9hRosdMVDskNz5yuyySk8ZBm+v2EpgmFMXhnYpqVLX5P2ilm1z
 etzv8APCqJTOn05Alissx6bUH0D3OfKlmNgpRHaj2Iuc9S7fJlrvrlB5+1aWF2DS
 O5NIu6ctmNBYAeFe2/Af1qRnoPBX099XDlGon4PPVROQkrKyz/OIrQHo2W2+Jppg
 HysLRjAXuwOw1ODnvfkI2fNAYgRdcv0C9kU7Nqxxhafk87cO7v22grK0zFRjUutp
 k9CfXFkXA1Eg32moxHOzijl1sohL70I2Z7wQj/xeuU7gYqayG1HoZXZVBJmfpMmP
 pCeqe+pGaVBGoLF9ipENLT38eV6wbi5hG3ZFFlUGkTiKb6qokzj4gPQVyDXHLoQe
 TIbdTIOfw8udATo=
 =vK/E
 -----END PGP SIGNATURE-----

Merge tag 'selinux-pr-20211112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux fixes from Paul Moore:
 "Unfortunately I need to request a revert for two LSM/SELinux patches
  that came in via the network tree. The two patches in question add a
  new SCTP/LSM hook as well as an SELinux implementation of that LSM
  hook. The short version of "why?" is in the commit description of the
  revert patch, but I'll copy-n-paste the important bits below to save
  some time for the curious:

      ... Unfortunately these two patches were merged without proper
      review (the Reviewed-by and Tested-by tags from Richard Haines
      were for previous revisions of these patches that were
      significantly different) and there are outstanding objections from
      the SELinux maintainers regarding these patches.

      Work is currently ongoing to correct the problems identified in
      the reverted patches, as well as others that have come up during
      review, but it is unclear at this point in time when that work
      will be ready for inclusion in the mainline kernel. In the
      interest of not keeping objectionable code in the kernel for
      multiple weeks, and potentially a kernel release, we are reverting
      the two problematic patches.

  As usual with these things there is plenty of context to go with this
  and I'll try to do my best to provide that now. This effort started
  with a report of SCTP client side peel-offs not working correctly with
  SELinux, Ondrej Mosnacek put forth a patch which he believed properly
  addressed the problem but upon review by the netdev folks Xin Long
  described some additional issues and submitted an improved patchset
  for review. The SELinux folks reviewed Xin Long's initial patchset and
  suggested some changes which resulted in a second patchset (v2) from
  Xin Long; this is the patchset that is currently in your tree.
  Unfortunately this v2 patchset from Xin Long was merged before it had
  spent even just 24 hours on the mailing lists during the early days of
  the merge window, a time when many of us were busy doing verification
  of the newly released v5.15 kernel as well final review and testing of
  our v5.16 pull requests. Making matters worse, upon reviewing the v2
  patchset there were both changes which were found objectionable by
  SELinux standards as well as additional outstanding SCTP/SELinux
  interaction problems. At this point we did two things: resumed working
  on a better fix for the SCTP/SELinux issue(s) - thank you Ondrej - and
  we asked the networking folks to revert the v2 patchset.

  The revert request was obviously rejected, but at the time I believed
  it was just going to be an issue for linux-next; I wasn't expecting
  something this significant that was merged into the networking tree
  during the merge window to make it into your tree in the same window,
  yet as of last night that is exactly what happened. While we continue
  to try and resolve the SCTP/SELinux problem I am asking once again to
  revert the v2 patches and not ship the current
  security_sctp_assoc_established() hook in a v5.16-rcX kernel. If I was
  confident that we could solve these issues in a week, maybe two, I
  would refrain from asking for the revert but our current estimate is
  for a minimum of two weeks for the next patch revision. With the
  likelihood of additional delays due to normal patch review follow-up
  and/or holidays it seems to me that the safest course of action is to
  revert the patch both to try and keep some objectionable code out of a
  release kernel and limit the chances of any new breakages from such a
  change. While the SCTP/SELinux code in v5.15 and earlier has problems,
  they are known problems, and I'd like to try and avoid creating new
  and different problems while we work to fix things properly.

  One final thing to mention: Xin Long's v2 patchset consisted of four
  patches, yet this revert is for only the last two. We see the first
  two patches as good, reasonable, and not likely to cause an issue. In
  an attempt to create a cleaner revert patch we suggest leaving the
  first two patches in the tree as they are currently"

* tag 'selinux-pr-20211112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  net,lsm,selinux: revert the security_sctp_assoc_established() hook

Documentation/security/SCTP.rst

@@ -15,7 +15,10 @@ For security module support, three SCTP specific hooks have been implemented::
     security_sctp_assoc_request()
     security_sctp_bind_connect()
     security_sctp_sk_clone()
-    security_sctp_assoc_established()
+
+Also the following security hook has been utilised::
+
+    security_inet_conn_established()
 
 The usage of these hooks are described below with the SELinux implementation
 described in the `SCTP SELinux Support`_ chapter.
@@ -119,12 +122,11 @@ calls **sctp_peeloff**\(3).
     @newsk - pointer to new sock structure.
 
 
-security_sctp_assoc_established()
+security_inet_conn_established()
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Called when a COOKIE ACK is received, and the peer secid will be
-saved into ``@asoc->peer_secid`` for client::
+Called when a COOKIE ACK is received::
 
-    @asoc - pointer to sctp association structure.
+    @sk  - pointer to sock structure.
     @skb - pointer to skbuff of the COOKIE ACK packet.
 
 
@@ -132,7 +134,7 @@ Security Hooks used for Association Establishment
 -------------------------------------------------
 
 The following diagram shows the use of ``security_sctp_bind_connect()``,
-``security_sctp_assoc_request()``, ``security_sctp_assoc_established()`` when
+``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
 establishing an association.
 ::
 
@@ -170,7 +172,7 @@ establishing an association.
           <------------------------------------------- COOKIE ACK
           |                                               |
     sctp_sf_do_5_1E_ca                                    |
- Call security_sctp_assoc_established()                   |
+ Call security_inet_conn_established()                    |
  to set the peer label.                                   |
           |                                               |
           |                               If SCTP_SOCKET_TCP or peeled off
@@ -196,7 +198,7 @@ hooks with the SELinux specifics expanded below::
     security_sctp_assoc_request()
     security_sctp_bind_connect()
     security_sctp_sk_clone()
-    security_sctp_assoc_established()
+    security_inet_conn_established()
 
 
 security_sctp_assoc_request()
@@ -269,12 +271,12 @@ sockets sid and peer sid to that contained in the ``@asoc sid`` and
     @newsk - pointer to new sock structure.
 
 
-security_sctp_assoc_established()
+security_inet_conn_established()
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Called when a COOKIE ACK is received where it sets the connection's peer sid
 to that in ``@skb``::
 
-    @asoc - pointer to sctp association structure.
+    @sk  - pointer to sock structure.
     @skb - pointer to skbuff of the COOKIE ACK packet.
 
 

include/linux/lsm_hook_defs.h

@@ -335,8 +335,6 @@ LSM_HOOK(int, 0, sctp_bind_connect, struct sock *sk, int optname,
 	 struct sockaddr *address, int addrlen)
 LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_association *asoc,
 	 struct sock *sk, struct sock *newsk)
-LSM_HOOK(void, LSM_RET_VOID, sctp_assoc_established, struct sctp_association *asoc,
-	 struct sk_buff *skb)
 #endif /* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_INFINIBAND

include/linux/lsm_hooks.h

@@ -1050,11 +1050,6 @@
  *	@asoc pointer to current sctp association structure.
  *	@sk pointer to current sock structure.
  *	@newsk pointer to new sock structure.
- * @sctp_assoc_established:
- *	Passes the @asoc and @chunk->skb of the association COOKIE_ACK packet
- *	to the security module.
- *	@asoc pointer to sctp association structure.
- *	@skb pointer to skbuff of association packet.
  *
  * Security hooks for Infiniband
  *

include/linux/security.h

@@ -1430,8 +1430,6 @@ int security_sctp_bind_connect(struct sock *sk, int optname,
 			       struct sockaddr *address, int addrlen);
 void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
 			    struct sock *newsk);
-void security_sctp_assoc_established(struct sctp_association *asoc,
-				     struct sk_buff *skb);
 
 #else	/* CONFIG_SECURITY_NETWORK */
 static inline int security_unix_stream_connect(struct sock *sock,
@@ -1651,11 +1649,6 @@ static inline void security_sctp_sk_clone(struct sctp_association *asoc,
 					  struct sock *newsk)
 {
 }
-
-static inline void security_sctp_assoc_established(struct sctp_association *asoc,
-						   struct sk_buff *skb)
-{
-}
 #endif	/* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_INFINIBAND

net/sctp/sm_statefuns.c

@@ -946,7 +946,7 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 
 	/* Set peer label for connection. */
-	security_sctp_assoc_established((struct sctp_association *)asoc, chunk->skb);
+	security_inet_conn_established(ep->base.sk, chunk->skb);
 
 	/* RFC 2960 5.1 Normal Establishment of an Association
 	 *

security/security.c

@@ -2388,13 +2388,6 @@ void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
 }
 EXPORT_SYMBOL(security_sctp_sk_clone);
 
-void security_sctp_assoc_established(struct sctp_association *asoc,
-				     struct sk_buff *skb)
-{
-	call_void_hook(sctp_assoc_established, asoc, skb);
-}
-EXPORT_SYMBOL(security_sctp_assoc_established);
-
 #endif	/* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_INFINIBAND

security/selinux/hooks.c

@@ -5502,8 +5502,7 @@ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk
 	if (!selinux_policycap_extsockclass())
 		return selinux_sk_clone_security(sk, newsk);
 
-	if (asoc->secid != SECSID_WILD)
-		newsksec->sid = asoc->secid;
+	newsksec->sid = asoc->secid;
 	newsksec->peer_sid = asoc->peer_secid;
 	newsksec->sclass = sksec->sclass;
 	selinux_netlbl_sctp_sk_clone(sk, newsk);
@@ -5559,16 +5558,6 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
 }
 
-static void selinux_sctp_assoc_established(struct sctp_association *asoc,
-					   struct sk_buff *skb)
-{
-	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
-
-	selinux_inet_conn_established(asoc->base.sk, skb);
-	asoc->peer_secid = sksec->peer_sid;
-	asoc->secid = SECSID_WILD;
-}
-
 static int selinux_secmark_relabel_packet(u32 sid)
 {
 	const struct task_security_struct *__tsec;
@@ -7239,7 +7228,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
-	LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),