Commit 284904aa authored by Paul Moore's avatar Paul Moore Committed by James Morris

lsm: Relocate the IPv4 security_inet_conn_request() hooks

The current placement of the security_inet_conn_request() hooks do not allow
individual LSMs to override the IP options of the connection's request_sock.
This is a problem as both SELinux and Smack have the ability to use labeled
networking protocols which make use of IP options to carry security attributes
and the inability to set the IP options at the start of the TCP handshake is
problematic.

This patch moves the IPv4 security_inet_conn_request() hooks past the code
where the request_sock's IP options are set/reset so that the LSM can safely
manipulate the IP options as needed.  This patch intentionally does not change
the related IPv6 hooks as IPv6 based labeling protocols which use IPv6 options
are not currently implemented, once they are we will have a better idea of
the correct placement for the IPv6 hooks.
Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent bb798169
...@@ -288,10 +288,6 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, ...@@ -288,10 +288,6 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
if (!req) if (!req)
goto out; goto out;
if (security_inet_conn_request(sk, skb, req)) {
reqsk_free(req);
goto out;
}
ireq = inet_rsk(req); ireq = inet_rsk(req);
treq = tcp_rsk(req); treq = tcp_rsk(req);
treq->rcv_isn = ntohl(th->seq) - 1; treq->rcv_isn = ntohl(th->seq) - 1;
...@@ -322,6 +318,11 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, ...@@ -322,6 +318,11 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
} }
} }
if (security_inet_conn_request(sk, skb, req)) {
reqsk_free(req);
goto out;
}
req->expires = 0UL; req->expires = 0UL;
req->retrans = 0; req->retrans = 0;
......
...@@ -1230,14 +1230,15 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb) ...@@ -1230,14 +1230,15 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
tcp_openreq_init(req, &tmp_opt, skb); tcp_openreq_init(req, &tmp_opt, skb);
if (security_inet_conn_request(sk, skb, req))
goto drop_and_free;
ireq = inet_rsk(req); ireq = inet_rsk(req);
ireq->loc_addr = daddr; ireq->loc_addr = daddr;
ireq->rmt_addr = saddr; ireq->rmt_addr = saddr;
ireq->no_srccheck = inet_sk(sk)->transparent; ireq->no_srccheck = inet_sk(sk)->transparent;
ireq->opt = tcp_v4_save_options(sk, skb); ireq->opt = tcp_v4_save_options(sk, skb);
if (security_inet_conn_request(sk, skb, req))
goto drop_and_free;
if (!want_cookie) if (!want_cookie)
TCP_ECN_create_request(req, tcp_hdr(skb)); TCP_ECN_create_request(req, tcp_hdr(skb));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment