summaryrefslogtreecommitdiff
path: root/Documentation/security
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2022-03-21 20:47:54 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2022-03-21 20:47:54 -0700
commitc269497d248e43558aafc6b3f87b49d4dd3c2713 (patch)
tree593abde709f11ca9ec0d8908db0faef38b0475de /Documentation/security
parent7f313ff0acdecf0926ab127533a2a93948a2f547 (diff)
parentcdbec3ede0b8cb318c36f5cc945b9360329cbd25 (diff)
downloadlwn-c269497d248e43558aafc6b3f87b49d4dd3c2713.tar.gz
lwn-c269497d248e43558aafc6b3f87b49d4dd3c2713.zip
Merge tag 'selinux-pr-20220321' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux updates from Paul Moore: "We've got a number of SELinux patches queued up, the highlights are: - Fixup the security_fs_context_parse_param() LSM hook so it executes all of the LSM hook implementations unless a serious error occurs. We also correct the SELinux hook implementation so that it returns zero on success. - In addition to a few SELinux mount option parsing fixes, we simplified the parsing by moving it earlier in the process. The logic was that it was unlikely an admin/user would use the new mount API and not have the policy loaded before passing the SELinux options. - Properly fixed the LSM/SELinux/SCTP hooks with the addition of the security_sctp_assoc_established() hook. This work was done in conjunction with the netdev folks and should complete the move of the SCTP labeling from the endpoints to the associations. - Fixed a variety of sparse warnings caused by changes in the "__rcu" markings of some core kernel structures. - Ensure we access the superblock's LSM security blob using the stacking-safe accessors. - Added the ability for the kernel to always allow FIOCLEX and FIONCLEX if the "ioctl_skip_cloexec" policy capability is specified. - Various constifications improvements, type casting improvements, additional return value checks, and dead code/parameter removal. - Documentation fixes" * tag 'selinux-pr-20220321' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: (23 commits) selinux: shorten the policy capability enum names docs: fix 'make htmldocs' warning in SCTP.rst selinux: allow FIOCLEX and FIONCLEX with policy capability selinux: use correct type for context length selinux: drop return statement at end of void functions security: implement sctp_assoc_established hook in selinux security: add sctp_assoc_established hook selinux: parse contexts for mount options early selinux: various sparse fixes selinux: try to use preparsed sid before calling parse_sid() selinux: Fix selinux_sb_mnt_opts_compat() LSM: general protection fault in legacy_parse_param selinux: fix a type cast problem in cred_init_security() selinux: drop unused macro selinux: simplify cred_init_security selinux: do not discard const qualifier in cast selinux: drop unused parameter of avtab_insert_node selinux: drop cast to same type selinux: enclose macro arguments in parenthesis selinux: declare name parameter of hash_eval const ...
Diffstat (limited to 'Documentation/security')
-rw-r--r--Documentation/security/SCTP.rst26
1 files changed, 12 insertions, 14 deletions
diff --git a/Documentation/security/SCTP.rst b/Documentation/security/SCTP.rst
index d5fd6ccc3dcb..b73eb764a001 100644
--- a/Documentation/security/SCTP.rst
+++ b/Documentation/security/SCTP.rst
@@ -15,10 +15,7 @@ For security module support, three SCTP specific hooks have been implemented::
security_sctp_assoc_request()
security_sctp_bind_connect()
security_sctp_sk_clone()
-
-Also the following security hook has been utilised::
-
- security_inet_conn_established()
+ security_sctp_assoc_established()
The usage of these hooks are described below with the SELinux implementation
described in the `SCTP SELinux Support`_ chapter.
@@ -122,11 +119,12 @@ calls **sctp_peeloff**\(3).
@newsk - pointer to new sock structure.
-security_inet_conn_established()
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Called when a COOKIE ACK is received::
+security_sctp_assoc_established()
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Called when a COOKIE ACK is received, and the peer secid will be
+saved into ``@asoc->peer_secid`` for client::
- @sk - pointer to sock structure.
+ @asoc - pointer to sctp association structure.
@skb - pointer to skbuff of the COOKIE ACK packet.
@@ -134,7 +132,7 @@ Security Hooks used for Association Establishment
-------------------------------------------------
The following diagram shows the use of ``security_sctp_bind_connect()``,
-``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
+``security_sctp_assoc_request()``, ``security_sctp_assoc_established()`` when
establishing an association.
::
@@ -172,7 +170,7 @@ establishing an association.
<------------------------------------------- COOKIE ACK
| |
sctp_sf_do_5_1E_ca |
- Call security_inet_conn_established() |
+ Call security_sctp_assoc_established() |
to set the peer label. |
| |
| If SCTP_SOCKET_TCP or peeled off
@@ -198,7 +196,7 @@ hooks with the SELinux specifics expanded below::
security_sctp_assoc_request()
security_sctp_bind_connect()
security_sctp_sk_clone()
- security_inet_conn_established()
+ security_sctp_assoc_established()
security_sctp_assoc_request()
@@ -271,12 +269,12 @@ sockets sid and peer sid to that contained in the ``@asoc sid`` and
@newsk - pointer to new sock structure.
-security_inet_conn_established()
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+security_sctp_assoc_established()
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Called when a COOKIE ACK is received where it sets the connection's peer sid
to that in ``@skb``::
- @sk - pointer to sock structure.
+ @asoc - pointer to sctp association structure.
@skb - pointer to skbuff of the COOKIE ACK packet.