git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Kuniyuki Iwashima <kuniyu@amazon.com>
	Mon, 30 Oct 2023 20:10:42 +0000 (13:10 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 20 Nov 2023 10:08:28 +0000 (11:08 +0100)
commit	0dad0e75d62b3d0f9a5598447da66ad39f8af795
tree	378ae8c7e5a365267dd91d0c0e6cd44192adb4a9	tree
parent	c340713bdf3268670ad15acca8d25a6860db4899	commit \| diff

dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.

[ Upstream commit 23be1e0e2a83a8543214d2599a31d9a2185a796b ]

Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child
sockets") introduced security_inet_conn_request() in some functions
where reqsk is allocated. The hook is added just after the allocation,
so reqsk's IPv6 remote address was not initialised then.

However, SELinux/Smack started to read it in netlbl_req_setattr()
after commit e1adea927080 ("calipso: Allow request sockets to be
relabelled by the lsm.").

Commit 284904aa7946 ("lsm: Relocate the IPv4 security_inet_conn_request()
hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was
not supported at that time. Finally, the same issue was introduced again
in IPv6.

Let's apply the same fix on DCCPv6 and TCPv6.

Fixes: e1adea927080 ("calipso: Allow request sockets to be relabelled by the lsm.")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

net/dccp/ipv6.c		diff \| blob \| blame \| history
net/ipv6/syncookies.c		diff \| blob \| blame \| history