Message ID | 20230405125308.57821-1-arefev@swemel.ru |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp294476vqo; Wed, 5 Apr 2023 06:10:15 -0700 (PDT) X-Google-Smtp-Source: AKy350Z3pWwqvK49eAekcuoQlMC9b/x5iA7nI5w3DIEhbIlvuO2miLMFZBPAAheqRktlrfqaHcF7 X-Received: by 2002:a17:903:644:b0:1a2:9dd0:1f74 with SMTP id kh4-20020a170903064400b001a29dd01f74mr4781885plb.54.1680700214975; Wed, 05 Apr 2023 06:10:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680700214; cv=none; d=google.com; s=arc-20160816; b=pYilVzZKy6VC4Jv2sJQ0LSFWBDsMFxGOSRAoLBy9YnzBhNKyq3qnaOt1WdG4ksQcvh SdbMP9Y97kXvfM1hWuy5Ch/RjeudWLY1QCMHHYE/hy2RM3wZ1f7D6nzk+TZr2+zEfkic 7WYUNwRJWvXYv0oNsddC3sXsrRyr1519ab7+VD3+hChE66ZBzqGjt/5iUGRpDqA3pl0J lQMnZPKMsg7zEJslvnFW2KsIy1BPXuna23Cm3R9Rk3cSqclytJ81Hx0fhUJBgP/2ZsEa +FVJElKAxRKLNtLW7PPPgGW4qQYIjUlUjW0Gpi0PiUEqoCiHRxKYHcFQNebqxyeU0mCQ syCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:dkim-signature:from; bh=8jSMehI3NmhiQSs4S6ALsvgGoTEzZsyVpigKpvyvIMQ=; b=wx1sFcbUxXc7GG6xz4QpMeQcEVHT7FXdNj4JQj0PSIKoWN3nixmjkUH36ZtvKbseGl 5WWPeZYq/3UGLOHzeS0AdqsgalTZeFsVdDQsek6OvaA15HGzPVtrflLVaMrWtjBxuToq aqyqofpuAo3qKkvur64q4Zxv+J78tsOc+4jYrRj5UeTUcGLhY2KkdXV9HDIcjrP/6mC/ Uih6WEviG3gRUl35TUV+eXHZOpGe6+SWTv6ZPpYJ1zL3jM01Ib1rd88xz+lpS854Qi1M MxBNL1c5ndwWnsm36uYvMVMQ4COZ+mVekwWT201/1w4y/eSySGQ5cp4O9+8W1RrVj42D CW4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@swemel.ru header.s=mail header.b=FxLX8o09; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=swemel.ru Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q6-20020a632a06000000b00514156db940si3915320pgq.171.2023.04.05.06.10.01; Wed, 05 Apr 2023 06:10:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@swemel.ru header.s=mail header.b=FxLX8o09; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=swemel.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237838AbjDEMxP (ORCPT <rfc822;lkml4gm@gmail.com> + 99 others); Wed, 5 Apr 2023 08:53:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59362 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232465AbjDEMxO (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Wed, 5 Apr 2023 08:53:14 -0400 Received: from mx.swemel.ru (mx.swemel.ru [95.143.211.150]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A52251FFE; Wed, 5 Apr 2023 05:53:11 -0700 (PDT) From: Denis Arefev <arefev@swemel.ru> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=swemel.ru; s=mail; t=1680699188; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=8jSMehI3NmhiQSs4S6ALsvgGoTEzZsyVpigKpvyvIMQ=; b=FxLX8o09yM2S0bA/+HUGYBcyyZYWUad7hCBh69Sv0x0Mu25Y99ITwdHN6q4IR43mWhzWzT RSVuWFmWy47ZJYc9velx3Z9T7P7TU9NvGJ989bhBbiVKgOjwTHGFjJKyw4EUNNH2bGw12e hLhBYXLzmaZ3S9axo2drB/zYo19HNbk= To: "David S. Miller" <davem@davemloft.net> Cc: Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, trufanov@swemel.ru, vfh@swemel.ru Subject: [PATCH] net: Added security socket Date: Wed, 5 Apr 2023 15:53:08 +0300 Message-Id: <20230405125308.57821-1-arefev@swemel.ru> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1762341908494016508?= X-GMAIL-MSGID: =?utf-8?q?1762341908494016508?= |
Series |
net: Added security socket
|
|
Commit Message
Denis Arefev
April 5, 2023, 12:53 p.m. UTC
Added security_socket_connect
kernel_connect is in kernel space,
but kernel_connect is used in RPC
requests (/net/sunrpc/xprtsock.c),
and the RPC protocol is used by the NFS server.
This is how we protect the TCP connection
initiated by the client.
Signed-off-by: Denis Arefev <arefev@swemel.ru>
---
net/socket.c | 6 ++++++
1 file changed, 6 insertions(+)
Comments
On Wed, 5 Apr 2023 15:53:08 +0300 Denis Arefev wrote: > Added security_socket_connect > kernel_connect is in kernel space, > but kernel_connect is used in RPC > requests (/net/sunrpc/xprtsock.c), > and the RPC protocol is used by the NFS server. > This is how we protect the TCP connection > initiated by the client. Can you please format this to look like every other commit in the kernel and use imperative mood? Then please add to the description _exactly_ how you're going to use it, i.e. an example of a real rule. And CC linux-security-module@vger.kernel.org
diff --git a/net/socket.c b/net/socket.c index 9c92c0e6c4da..9afa2b44a9e5 100644 --- a/net/socket.c +++ b/net/socket.c @@ -3526,6 +3526,12 @@ EXPORT_SYMBOL(kernel_accept); int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen, int flags) { + int err; + + err = security_socket_connect(sock, (struct sockaddr *)addr, addrlen); + if (err) + return err; + return sock->ops->connect(sock, addr, addrlen, flags); } EXPORT_SYMBOL(kernel_connect);