| Message ID | 20230405125308.57821-1-arefev@swemel.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp294476vqo;
Wed, 5 Apr 2023 06:10:15 -0700 (PDT)
X-Google-Smtp-Source:
AKy350Z3pWwqvK49eAekcuoQlMC9b/x5iA7nI5w3DIEhbIlvuO2miLMFZBPAAheqRktlrfqaHcF7
X-Received: by 2002:a17:903:644:b0:1a2:9dd0:1f74 with SMTP id
kh4-20020a170903064400b001a29dd01f74mr4781885plb.54.1680700214975;
Wed, 05 Apr 2023 06:10:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1680700214; cv=none;
d=google.com; s=arc-20160816;
b=pYilVzZKy6VC4Jv2sJQ0LSFWBDsMFxGOSRAoLBy9YnzBhNKyq3qnaOt1WdG4ksQcvh
SdbMP9Y97kXvfM1hWuy5Ch/RjeudWLY1QCMHHYE/hy2RM3wZ1f7D6nzk+TZr2+zEfkic
7WYUNwRJWvXYv0oNsddC3sXsrRyr1519ab7+VD3+hChE66ZBzqGjt/5iUGRpDqA3pl0J
lQMnZPKMsg7zEJslvnFW2KsIy1BPXuna23Cm3R9Rk3cSqclytJ81Hx0fhUJBgP/2ZsEa
+FVJElKAxRKLNtLW7PPPgGW4qQYIjUlUjW0Gpi0PiUEqoCiHRxKYHcFQNebqxyeU0mCQ
syCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:dkim-signature:from;
bh=8jSMehI3NmhiQSs4S6ALsvgGoTEzZsyVpigKpvyvIMQ=;
b=wx1sFcbUxXc7GG6xz4QpMeQcEVHT7FXdNj4JQj0PSIKoWN3nixmjkUH36ZtvKbseGl
5WWPeZYq/3UGLOHzeS0AdqsgalTZeFsVdDQsek6OvaA15HGzPVtrflLVaMrWtjBxuToq
aqyqofpuAo3qKkvur64q4Zxv+J78tsOc+4jYrRj5UeTUcGLhY2KkdXV9HDIcjrP/6mC/
Uih6WEviG3gRUl35TUV+eXHZOpGe6+SWTv6ZPpYJ1zL3jM01Ib1rd88xz+lpS854Qi1M
MxBNL1c5ndwWnsm36uYvMVMQ4COZ+mVekwWT201/1w4y/eSySGQ5cp4O9+8W1RrVj42D
CW4w==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@swemel.ru header.s=mail header.b=FxLX8o09;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=swemel.ru
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
q6-20020a632a06000000b00514156db940si3915320pgq.171.2023.04.05.06.10.01;
Wed, 05 Apr 2023 06:10:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@swemel.ru header.s=mail header.b=FxLX8o09;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=swemel.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S237838AbjDEMxP (ORCPT <rfc822;lkml4gm@gmail.com> + 99 others);
Wed, 5 Apr 2023 08:53:15 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59362 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S232465AbjDEMxO (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 5 Apr 2023 08:53:14 -0400
Received: from mx.swemel.ru (mx.swemel.ru [95.143.211.150])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A52251FFE;
Wed, 5 Apr 2023 05:53:11 -0700 (PDT)
From: Denis Arefev <arefev@swemel.ru>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=swemel.ru; s=mail;
t=1680699188;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=8jSMehI3NmhiQSs4S6ALsvgGoTEzZsyVpigKpvyvIMQ=;
b=FxLX8o09yM2S0bA/+HUGYBcyyZYWUad7hCBh69Sv0x0Mu25Y99ITwdHN6q4IR43mWhzWzT
RSVuWFmWy47ZJYc9velx3Z9T7P7TU9NvGJ989bhBbiVKgOjwTHGFjJKyw4EUNNH2bGw12e
hLhBYXLzmaZ3S9axo2drB/zYo19HNbk=
To: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, trufanov@swemel.ru, vfh@swemel.ru
Subject: [PATCH] net: Added security socket
Date: Wed, 5 Apr 2023 15:53:08 +0300
Message-Id: <20230405125308.57821-1-arefev@swemel.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1762341908494016508?=
X-GMAIL-MSGID: =?utf-8?q?1762341908494016508?=
|
| Series |
net: Added security socket
|
|
Commit Message
Denis Arefev
April 5, 2023, 12:53 p.m. UTC
Added security_socket_connect
kernel_connect is in kernel space,
but kernel_connect is used in RPC
requests (/net/sunrpc/xprtsock.c),
and the RPC protocol is used by the NFS server.
This is how we protect the TCP connection
initiated by the client.
Signed-off-by: Denis Arefev <arefev@swemel.ru>
---
net/socket.c | 6 ++++++
1 file changed, 6 insertions(+)
Comments
On Wed, 5 Apr 2023 15:53:08 +0300 Denis Arefev wrote: > Added security_socket_connect > kernel_connect is in kernel space, > but kernel_connect is used in RPC > requests (/net/sunrpc/xprtsock.c), > and the RPC protocol is used by the NFS server. > This is how we protect the TCP connection > initiated by the client. Can you please format this to look like every other commit in the kernel and use imperative mood? Then please add to the description _exactly_ how you're going to use it, i.e. an example of a real rule. And CC linux-security-module@vger.kernel.org
diff --git a/net/socket.c b/net/socket.c index 9c92c0e6c4da..9afa2b44a9e5 100644 --- a/net/socket.c +++ b/net/socket.c @@ -3526,6 +3526,12 @@ EXPORT_SYMBOL(kernel_accept); int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen, int flags) { + int err; + + err = security_socket_connect(sock, (struct sockaddr *)addr, addrlen); + if (err) + return err; + return sock->ops->connect(sock, addr, addrlen, flags); } EXPORT_SYMBOL(kernel_connect);