summaryrefslogtreecommitdiff
path: root/Documentation/security/SCTP.rst
diff options
context:
space:
mode:
authorPaul Moore <paul@paul-moore.com>2021-11-12 12:07:02 -0500
committerPaul Moore <paul@paul-moore.com>2021-11-12 12:07:02 -0500
commit32a370abf12f82c8383e430c21365f5355d8b288 (patch)
tree9e2ea4b4164568b851aa13661b221cd4b321d937 /Documentation/security/SCTP.rst
parent5833291ab6de9c3e2374336b51c814e515e8f3a5 (diff)
net,lsm,selinux: revert the security_sctp_assoc_established() hook
This patch reverts two prior patches, e7310c94024c ("security: implement sctp_assoc_established hook in selinux") and 7c2ef0240e6a ("security: add sctp_assoc_established hook"), which create the security_sctp_assoc_established() LSM hook and provide a SELinux implementation. Unfortunately these two patches were merged without proper review (the Reviewed-by and Tested-by tags from Richard Haines were for previous revisions of these patches that were significantly different) and there are outstanding objections from the SELinux maintainers regarding these patches. Work is currently ongoing to correct the problems identified in the reverted patches, as well as others that have come up during review, but it is unclear at this point in time when that work will be ready for inclusion in the mainline kernel. In the interest of not keeping objectionable code in the kernel for multiple weeks, and potentially a kernel release, we are reverting the two problematic patches. Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'Documentation/security/SCTP.rst')
-rw-r--r--Documentation/security/SCTP.rst22
1 files changed, 12 insertions, 10 deletions
diff --git a/Documentation/security/SCTP.rst b/Documentation/security/SCTP.rst
index 406cc68b8808..d5fd6ccc3dcb 100644
--- a/Documentation/security/SCTP.rst
+++ b/Documentation/security/SCTP.rst
@@ -15,7 +15,10 @@ For security module support, three SCTP specific hooks have been implemented::
security_sctp_assoc_request()
security_sctp_bind_connect()
security_sctp_sk_clone()
- security_sctp_assoc_established()
+
+Also the following security hook has been utilised::
+
+ security_inet_conn_established()
The usage of these hooks are described below with the SELinux implementation
described in the `SCTP SELinux Support`_ chapter.
@@ -119,12 +122,11 @@ calls **sctp_peeloff**\(3).
@newsk - pointer to new sock structure.
-security_sctp_assoc_established()
+security_inet_conn_established()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Called when a COOKIE ACK is received, and the peer secid will be
-saved into ``@asoc->peer_secid`` for client::
+Called when a COOKIE ACK is received::
- @asoc - pointer to sctp association structure.
+ @sk - pointer to sock structure.
@skb - pointer to skbuff of the COOKIE ACK packet.
@@ -132,7 +134,7 @@ Security Hooks used for Association Establishment
-------------------------------------------------
The following diagram shows the use of ``security_sctp_bind_connect()``,
-``security_sctp_assoc_request()``, ``security_sctp_assoc_established()`` when
+``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
establishing an association.
::
@@ -170,7 +172,7 @@ establishing an association.
<------------------------------------------- COOKIE ACK
| |
sctp_sf_do_5_1E_ca |
- Call security_sctp_assoc_established() |
+ Call security_inet_conn_established() |
to set the peer label. |
| |
| If SCTP_SOCKET_TCP or peeled off
@@ -196,7 +198,7 @@ hooks with the SELinux specifics expanded below::
security_sctp_assoc_request()
security_sctp_bind_connect()
security_sctp_sk_clone()
- security_sctp_assoc_established()
+ security_inet_conn_established()
security_sctp_assoc_request()
@@ -269,12 +271,12 @@ sockets sid and peer sid to that contained in the ``@asoc sid`` and
@newsk - pointer to new sock structure.
-security_sctp_assoc_established()
+security_inet_conn_established()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Called when a COOKIE ACK is received where it sets the connection's peer sid
to that in ``@skb``::
- @asoc - pointer to sctp association structure.
+ @sk - pointer to sock structure.
@skb - pointer to skbuff of the COOKIE ACK packet.