Kuniyuki Iwashima 0a2bcc3bb7 dccp: Call security_inet_conn_request() after setting IPv4 addresses. ...

[ Upstream commit fa2df45af1 ]

Initially, commit 4237c75c0a ("[MLSXFRM]: Auto-labeling of child
sockets") introduced security_inet_conn_request() in some functions
where reqsk is allocated.  The hook is added just after the allocation,
so reqsk's IPv4 remote address was not initialised then.

However, SELinux/Smack started to read it in netlbl_req_setattr()
after the cited commits.

This bug was partially fixed by commit 284904aa79 ("lsm: Relocate
the IPv4 security_inet_conn_request() hooks").

This patch fixes the last bug in DCCPv4.

Fixes: 389fb800ac ("netlabel: Label incoming TCP connections correctly in SELinux")
Fixes: 07feee8f81 ("netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

2023-11-20 11:59:35 +01:00

29 KiB

Raw Blame History

View Raw