[GIT PULL] SELinux patches for v4.17

[GIT PULL] SELinux patches for v4.17

[Paul Moore]

Hi Linus,

A bigger than usual pull request for SELinux, 13 patches (lucky!)
along with a scary looking diffstat.  Although if you look a bit
closer, excluding the usual minor tweaks/fixes, there are really only
two significant changes in this pull request: the addition of proper
SELinux access controls for SCTP and the encapsulation of a lot of
internal SELinux state.  The SCTP changes are the result of a
multi-month effort (maybe even a year or longer?) between the SELinux
folks and the SCTP folks to add proper SELinux controls.  A special
thanks go to Richard for seeing this through and keeping the effort
moving forward.  The state encapsulation work is a bit of janitorial
work that came out of some early work on SELinux namespacing.  The
question of namespacing is still an open one, but I believe there is
some real value in the encapsulation work so we've split that out and
are now sending that up to you.

Everything passes the selinux-testsuite, but there are a few known
merge conflicts.  The first is with the netdev tree and is in
net/sctp/socket.c.  Unfortunately it is a bit ugly, thankfully Stephen
Rothwell has already done the heavy lifting in resolving the merge for
you, and the SCTP folks have given his merge patch a thumbs-up.  Link
below:

* https://marc.info/?l=linux-netdev&m=152047486123499&w=2

There are also two conflicts with James' security tree, both rather
easy.  The first is in security/selinux/hooks.c and is quite trivial,
but since I've got the linux-next archive handy, here is a link to the
merge fixup:

* https://marc.info/?l=linux-next&m=152160312324537&w=2

The second security/SELinux conflict is in include/linux/lsm_hooks.h
and while the size of the fixup is scary at first, it is really just
the three new LSM/SCTP hooks and isn't that bad at all:

* https://marc.info/?l=linux-next&m=152273068901460&w=2

In the past I know you have preferred to handle your own merge
conflict resolution, but the above is a bit more than usual, at least
for the SELinux tree.  If you would prefer that I handle the merge
conflicts and send you a new PR (or something else), let me know.

Thanks,
-Paul

--
The following changes since commit 7928b2cbe55b2a410a0f5c1f154610059c57b1b2:

 Linux 4.16-rc1 (2018-02-11 15:04:29 -0800)

are available in the Git repository at:

 git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux
-pr-20180403

for you to fetch changes up to 6b6bc6205d98796361962ee282a063f18ba8dc57:

 selinux: wrap AVC state (2018-03-20 16:58:17 -0400)

----------------------------------------------------------------
selinux/stable-4.17 PR 20180403

----------------------------------------------------------------
Arnd Bergmann (1):
     selinux: fix typo in selinux_netlbl_sctp_sk_clone declaration

Paul Moore (1):
     selinux: rename the {is,set}_enforcing() functions

Richard Haines (7):
     netlabel: If PF_INET6, check sk_buff ip header version
     security: Add support for SCTP security hooks
     sctp: Add ip option support
     sctp: Add LSM hooks
     selinux: Add SCTP support
     selinux: Fix ltp test connect-syscall failure
     selinux: Update SELinux SCTP documentation

Stephen Smalley (4):
     selinux: wrap global selinux state
     selinux: fix handling of uninitialized selinux state in get_bools/classes
     selinux: wrap selinuxfs state
     selinux: wrap AVC state

Documentation/security/LSM-sctp.rst     |  175 +++++
Documentation/security/SELinux-sctp.rst |  158 +++++
include/linux/lsm_hooks.h               |   36 +
include/linux/security.h                |   25 +
include/net/sctp/sctp.h                 |    4 +-
include/net/sctp/structs.h              |   12 +
include/uapi/linux/sctp.h               |    1 +
net/netlabel/netlabel_unlabeled.c       |   10 +
net/sctp/chunk.c                        |   10 +-
net/sctp/ipv6.c                         |   45 +-
net/sctp/output.c                       |   34 +-
net/sctp/protocol.c                     |   43 ++
net/sctp/sm_make_chunk.c                |   12 +
net/sctp/sm_statefuns.c                 |   18 +
net/sctp/socket.c                       |   73 +-
security/security.c                     |   22 +
security/selinux/avc.c                  |  282 ++++----
security/selinux/hooks.c                |  922 +++++++++++++++++++-------
security/selinux/ibpkey.c               |    3 +-
security/selinux/include/avc.h          |   38 +-
security/selinux/include/avc_ss.h       |    9 +-
security/selinux/include/classmap.h     |    2 +-
security/selinux/include/conditional.h  |   11 +-
security/selinux/include/netlabel.h     |   22 +-
security/selinux/include/objsec.h       |    6 +-
security/selinux/include/security.h     |  231 +++++--
security/selinux/netif.c                |    2 +-
security/selinux/netlabel.c             |  148 ++++-
security/selinux/netnode.c              |    4 +-
security/selinux/netport.c              |    2 +-
security/selinux/selinuxfs.c            |  493 ++++++++------
security/selinux/ss/avtab.c             |    9 +-
security/selinux/ss/avtab.h             |    3 -
security/selinux/ss/ebitmap.c           |    7 +-
security/selinux/ss/ebitmap.h           |    3 -
security/selinux/ss/hashtab.c           |    8 +-
security/selinux/ss/hashtab.h           |    4 -
security/selinux/ss/mls.c               |   72 +-
security/selinux/ss/mls.h               |   38 +-
security/selinux/ss/services.c          | 1100 ++++++++++++++++++-------------
security/selinux/ss/services.h          |   24 +-
security/selinux/ss/status.c            |   47 +-
security/selinux/xfrm.c                 |   23 +-
43 files changed, 2939 insertions(+), 1252 deletions(-)
create mode 100644 Documentation/security/LSM-sctp.rst
create mode 100644 Documentation/security/SELinux-sctp.rst

-- 
paul moore
www.paul-moore.com

Re: [GIT PULL] SELinux patches for v4.17

[Linus Torvalds]

On Tue, Apr 3, 2018 at 6:37 PM, Paul Moore <paul@paul-moore.com> wrote:
>
> Everything passes the selinux-testsuite, but there are a few known
> merge conflicts.  The first is with the netdev tree and is in
> net/sctp/socket.c.  Unfortunately it is a bit ugly, thankfully Stephen
> Rothwell has already done the heavy lifting in resolving the merge for
> you, and the SCTP folks have given his merge patch a thumbs-up.

I ended up re-doing the merge, and it looks like some more sctp
changes happened after Stephen's merge anyway, so mine didn't end up
quite like his.

Adding Xin Long to see if he can verify it again, but it all *looks* sane.

While looking at it, it struck me that the new security hooks don't
seem to hook into __sctp_connect(), which also does that

                        scope = sctp_scope(&to);
                        asoc = sctp_association_new(ep, sk, scope, GFP_KERNEL);

thing. Is that intentional? The sendmsg case does that
security_sctp_bind_connect, the actual __sctp_connect() does not.

This is not because I screwed up the merge - it's that way in the
SELinux tree too. And I obviously _left_ it that way, but while doing
the merge and trying to understand what was going on, this struck me.

I'm probably missing something really obvious why the connect case
doesn't want to do it thgere.

NOTE! I do see it being done in __sctp_setsockopt_connectx(). But
__sctp_connect() has another caller (in sctp_connect()) which doesn't
have that security_sctp_bind_connect() call.

So please check my resolution, but also somebody should tell me
"Linus, you're a cretin, sctp_connect() doesn't want that
security_sctp_bind_connect() at all because it was already done by
XYZ"

                 Linus

Re: [GIT PULL] SELinux patches for v4.17

[Richard Haines]

On Fri, 2018-04-06 at 16:07 -0700, Linus Torvalds wrote:
> On Tue, Apr 3, 2018 at 6:37 PM, Paul Moore <paul@paul-moore.com>
> wrote:
> > 
> > Everything passes the selinux-testsuite, but there are a few known
> > merge conflicts.  The first is with the netdev tree and is in
> > net/sctp/socket.c.  Unfortunately it is a bit ugly, thankfully
> > Stephen
> > Rothwell has already done the heavy lifting in resolving the merge
> > for
> > you, and the SCTP folks have given his merge patch a thumbs-up.
> 
> I ended up re-doing the merge, and it looks like some more sctp
> changes happened after Stephen's merge anyway, so mine didn't end up
> quite like his.
> 
> Adding Xin Long to see if he can verify it again, but it all *looks*
> sane.
> 
> While looking at it, it struck me that the new security hooks don't
> seem to hook into __sctp_connect(), which also does that
> 
>                         scope = sctp_scope(&to);
>                         asoc = sctp_association_new(ep, sk, scope,
> GFP_KERNEL);
> 
> thing. Is that intentional? The sendmsg case does that
> security_sctp_bind_connect, the actual __sctp_connect() does not.
> 
> This is not because I screwed up the merge - it's that way in the
> SELinux tree too. And I obviously _left_ it that way, but while doing
> the merge and trying to understand what was going on, this struck me.
> 
> I'm probably missing something really obvious why the connect case
> doesn't want to do it thgere.
> 
> NOTE! I do see it being done in __sctp_setsockopt_connectx(). But
> __sctp_connect() has another caller (in sctp_connect()) which doesn't
> have that security_sctp_bind_connect() call.
> 
> So please check my resolution, but also somebody should tell me
> "Linus, you're a cretin, sctp_connect() doesn't want that
> security_sctp_bind_connect() at all because it was already done by
> XYZ"
> 
>                  Linus

Thought I would answer the questions as I wrote the SELinux/SCTP
patches.

sctp_connect() or __sctp_connect() do not need to call
security_sctp_bind_connect(). This is because the connect(2) call will
handle the checks required via security_socket_connect():

       connect(2)
          |
 SYSCALL_DEFINE3(connect, ....)
          |
   security_socket_connect()
          |
     sctp_connect()

SCTP uses security_sctp_bind_connect() as this can handle one or more
addresses for either sctp_connectx(3) or sctp_bindx(3). It is also used
for handling the sendmsg(2) and sctp_sendmsg(3) calls in SCTP for a new
association (that is effectively a "connect").

Hope this helps

Richard

> --
> To unsubscribe from this list: send the line "unsubscribe linux-
> security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [GIT PULL] SELinux patches for v4.17

[Linus Torvalds]

On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
<richard_c_haines@btinternet.com> wrote:
>>
>> So please check my resolution, but also somebody should tell me
>> "Linus, you're a cretin, sctp_connect() doesn't want that
>> security_sctp_bind_connect() at all because it was already done by
>> XYZ"
>
> sctp_connect() or __sctp_connect() do not need to call
> security_sctp_bind_connect(). This is because the connect(2) call will
> handle the checks required via security_socket_connect():

Ok, thanks, that's exactly what I wanted to get.

Anyway, somebody should still verify that it all looks good in my
tree, but I don't actually expect the merge to have had any issues
even if the refactoring made it a bit more complex than most merges
are.

                      Linus

Re: [GIT PULL] SELinux patches for v4.17

[Xin Long]

On Sat, Apr 7, 2018 at 7:07 AM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Tue, Apr 3, 2018 at 6:37 PM, Paul Moore <paul@paul-moore.com> wrote:
>>
>> Everything passes the selinux-testsuite, but there are a few known
>> merge conflicts.  The first is with the netdev tree and is in
>> net/sctp/socket.c.  Unfortunately it is a bit ugly, thankfully Stephen
>> Rothwell has already done the heavy lifting in resolving the merge for
>> you, and the SCTP folks have given his merge patch a thumbs-up.
>
> I ended up re-doing the merge, and it looks like some more sctp
> changes happened after Stephen's merge anyway, so mine didn't end up
 > quite like his.
>
You're right, a sctp fix went into net-next after Stephen's that merge.
https://patchwork.ozlabs.org/patch/884469/ (v1)
https://patchwork.ozlabs.org/patch/884971/ (v2)

Which caused the resolution to have changed again.

I've checked the new resolution on your tree, the SCTP part is all good.

Thanks.

Re: [GIT PULL] SELinux patches for v4.17

[Paul Moore]

On April 8, 2018 2:13:51 AM Xin Long <lucien.xin@gmail.com> wrote:
On Sat, Apr 7, 2018 at 7:07 AM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
On Tue, Apr 3, 2018 at 6:37 PM, Paul Moore <paul@paul-moore.com> wrote:

Everything passes the selinux-testsuite, but there are a few known
merge conflicts.  The first is with the netdev tree and is in
net/sctp/socket.c.  Unfortunately it is a bit ugly, thankfully Stephen
Rothwell has already done the heavy lifting in resolving the merge for
you, and the SCTP folks have given his merge patch a thumbs-up.

I ended up re-doing the merge, and it looks like some more sctp
changes happened after Stephen's merge anyway, so mine didn't end up
quite like his.
You're right, a sctp fix went into net-next after Stephen's that merge.
https://patchwork.ozlabs.org/patch/884469/ (v1)
https://patchwork.ozlabs.org/patch/884971/ (v2)

Which caused the resolution to have changed again.

I've checked the new resolution on your tree, the SCTP part is all good.

Thanks for double checking that Xin.

--
paul moore
www.paul-moore.com

Re: [GIT PULL] SELinux patches for v4.17

[Paul Moore]

On April 7, 2018 1:03:57 PM Linus Torvalds <torvalds@linux-foundation.org> wrote:
On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
<richard_c_haines@btinternet.com> wrote:

So please check my resolution, but also somebody should tell me
"Linus, you're a cretin, sctp_connect() doesn't want that
security_sctp_bind_connect() at all because it was already done by
XYZ"

sctp_connect() or __sctp_connect() do not need to call
security_sctp_bind_connect(). This is because the connect(2) call will
handle the checks required via security_socket_connect():

Ok, thanks, that's exactly what I wanted to get.

Anyway, somebody should still verify that it all looks good in my
tree, but I don't actually expect the merge to have had any issues
even if the refactoring made it a bit more complex than most merges
are.

Thanks for the quick response Richard.

Xin Long looked it over and gave it the thumbs up, I'll take a look too, but to be honest I trust his SCTP understanding much more than mine.  I also do weekly tests of each rcX release at a minimum so if something odd pops up I'll make sure you get a fix.

Thanks again everyone.

--
paul moore
www.paul-moore.com

Re: [GIT PULL] SELinux patches for v4.17

[Richard Haines]

On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote:
> On April 7, 2018 1:03:57 PM Linus Torvalds <torvalds@linux-foundation
> .org> wrote:
> On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> 
> So please check my resolution, but also somebody should tell me
> "Linus, you're a cretin, sctp_connect() doesn't want that
> security_sctp_bind_connect() at all because it was already done by
> XYZ"
> 
> sctp_connect() or __sctp_connect() do not need to call
> security_sctp_bind_connect(). This is because the connect(2) call
> will
> handle the checks required via security_socket_connect():
> 
> Ok, thanks, that's exactly what I wanted to get.
> 
> Anyway, somebody should still verify that it all looks good in my
> tree, but I don't actually expect the merge to have had any issues
> even if the refactoring made it a bit more complex than most merges
> are.
> 
> Thanks for the quick response Richard.
> 
> Xin Long looked it over and gave it the thumbs up, I'll take a look
> too, but to be honest I trust his SCTP understanding much more than
> mine.  I also do weekly tests of each rcX release at a minimum so if
> something odd pops up I'll make sure you get a fix.
> 
> Thanks again everyone.

I built the kernel this morning and sorry to spoil the party, but I've
run into a problem with lksctp-tools when running the func_tests:

make v6test
..
..
./test_timetolive_v6
test_timetolive.c  0 INFO : Creating fillmsg of size 3087
test_timetolive.c  1 PASS : Send a message with timeout
test_timetolive.c  2 PASS : Send a message with no timeout
test_timetolive.c  3 PASS : Send a fragmented message with timeout
test_timetolive.c  0 INFO :  **  SLEEPING for 3 seconds **
test_timetolive.c  4 BROK : Got a datamsg of unexpected length:23,
expected length:27
DUMP_CORE sctputil.c: 247
/bin/sh: line 1: 30981 Segmentation fault      (core dumped) ./$a
test_timetolive_v6 fails

make v4 test fails the same way. I'm using lksctp-tools from [1]. I
have not investigated the cause yet as just found this and thought I
should flag first just in case someone has the answer !!!

On the bright side, I've run the sctp-tests from [2] with no problems
and also the selinux-testsuite with my SCTP patch from [3] using an
updated Fedora policy from [4] (with sctp support added), all in
enforcing mode.

Also the LTP test passed:
cd /opt/ltp/
cat runtest/syscalls |grep connect01>runtest/connect-syscall
./runltp -pq -f connect-syscall
....

[1] https://github.com/sctp/lksctp-tools
[2] https://github.com/sctp/sctp-tests
[3] https://marc.info/?l=selinux&m=152156947715709&w=2
[4] https://github.com/fedora-selinux/selinux-policy


> 
> --
> paul moore
> www.paul-moore.com
> 
> 
> 

Re: [GIT PULL] SELinux patches for v4.17

[Xin Long]

On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines
<richard_c_haines@btinternet.com> wrote:
> On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote:
>> On April 7, 2018 1:03:57 PM Linus Torvalds <torvalds@linux-foundation
>> .org> wrote:
>> On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
>> <richard_c_haines@btinternet.com> wrote:
>>
>> So please check my resolution, but also somebody should tell me
>> "Linus, you're a cretin, sctp_connect() doesn't want that
>> security_sctp_bind_connect() at all because it was already done by
>> XYZ"
>>
>> sctp_connect() or __sctp_connect() do not need to call
>> security_sctp_bind_connect(). This is because the connect(2) call
>> will
>> handle the checks required via security_socket_connect():
>>
>> Ok, thanks, that's exactly what I wanted to get.
>>
>> Anyway, somebody should still verify that it all looks good in my
>> tree, but I don't actually expect the merge to have had any issues
>> even if the refactoring made it a bit more complex than most merges
>> are.
>>
>> Thanks for the quick response Richard.
>>
>> Xin Long looked it over and gave it the thumbs up, I'll take a look
>> too, but to be honest I trust his SCTP understanding much more than
>> mine.  I also do weekly tests of each rcX release at a minimum so if
>> something odd pops up I'll make sure you get a fix.
>>
>> Thanks again everyone.
>
> I built the kernel this morning and sorry to spoil the party, but I've
> run into a problem with lksctp-tools when running the func_tests:
>
> make v6test
> ..
> ..
> ./test_timetolive_v6
> test_timetolive.c  0 INFO : Creating fillmsg of size 3087
> test_timetolive.c  1 PASS : Send a message with timeout
> test_timetolive.c  2 PASS : Send a message with no timeout
> test_timetolive.c  3 PASS : Send a fragmented message with timeout
> test_timetolive.c  0 INFO :  **  SLEEPING for 3 seconds **
> test_timetolive.c  4 BROK : Got a datamsg of unexpected length:23,
> expected length:27
> DUMP_CORE sctputil.c: 247
> /bin/sh: line 1: 30981 Segmentation fault      (core dumped) ./$a
> test_timetolive_v6 fails
>
> make v4 test fails the same way. I'm using lksctp-tools from [1]. I
> have not investigated the cause yet as just found this and thought I
> should flag first just in case someone has the answer !!!
test_timetolive(_v6) works for me, In lksctp-tools/src/func_tests, I had
another case failed,./test_1_to_1_events,  it's caused by:
commit 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b
Author: Xin Long <lucien.xin@gmail.com>
Date:   Wed Mar 14 19:05:34 2018 +0800

    sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT

It's not kernel's issue, after that commit, ./test_1_to_1_events should
have been improved. or avoid it by 'sysctl -w net.sctp.auth_enable=1'

I'm not sure why test_timetolive(_v6) is not working in your env.

>
> On the bright side, I've run the sctp-tests from [2] with no problems
> and also the selinux-testsuite with my SCTP patch from [3] using an
> updated Fedora policy from [4] (with sctp support added), all in
> enforcing mode.
>
> Also the LTP test passed:
> cd /opt/ltp/
> cat runtest/syscalls |grep connect01>runtest/connect-syscall
> ./runltp -pq -f connect-syscall
> ....
>
> [1] https://github.com/sctp/lksctp-tools
> [2] https://github.com/sctp/sctp-tests
> [3] https://marc.info/?l=selinux&m=152156947715709&w=2
> [4] https://github.com/fedora-selinux/selinux-policy
>
>
>>
>> --
>> paul moore
>> www.paul-moore.com
>>
>>
>>

Re: [GIT PULL] SELinux patches for v4.17

[Richard Haines]

On Mon, 2018-04-09 at 01:43 +0800, Xin Long wrote:
> On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote:
> > > On April 7, 2018 1:03:57 PM Linus Torvalds <torvalds@linux-founda
> > > tion
> > > .org> wrote:
> > > On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
> > > <richard_c_haines@btinternet.com> wrote:
> > > 
> > > So please check my resolution, but also somebody should tell me
> > > "Linus, you're a cretin, sctp_connect() doesn't want that
> > > security_sctp_bind_connect() at all because it was already done
> > > by
> > > XYZ"
> > > 
> > > sctp_connect() or __sctp_connect() do not need to call
> > > security_sctp_bind_connect(). This is because the connect(2) call
> > > will
> > > handle the checks required via security_socket_connect():
> > > 
> > > Ok, thanks, that's exactly what I wanted to get.
> > > 
> > > Anyway, somebody should still verify that it all looks good in my
> > > tree, but I don't actually expect the merge to have had any
> > > issues
> > > even if the refactoring made it a bit more complex than most
> > > merges
> > > are.
> > > 
> > > Thanks for the quick response Richard.
> > > 
> > > Xin Long looked it over and gave it the thumbs up, I'll take a
> > > look
> > > too, but to be honest I trust his SCTP understanding much more
> > > than
> > > mine.  I also do weekly tests of each rcX release at a minimum so
> > > if
> > > something odd pops up I'll make sure you get a fix.
> > > 
> > > Thanks again everyone.
> > 
> > I built the kernel this morning and sorry to spoil the party, but
> > I've
> > run into a problem with lksctp-tools when running the func_tests:
> > 
> > make v6test
> > ..
> > ..
> > ./test_timetolive_v6
> > test_timetolive.c  0 INFO : Creating fillmsg of size 3087
> > test_timetolive.c  1 PASS : Send a message with timeout
> > test_timetolive.c  2 PASS : Send a message with no timeout
> > test_timetolive.c  3 PASS : Send a fragmented message with timeout
> > test_timetolive.c  0 INFO :  **  SLEEPING for 3 seconds **
> > test_timetolive.c  4 BROK : Got a datamsg of unexpected length:23,
> > expected length:27
> > DUMP_CORE sctputil.c: 247
> > /bin/sh: line 1: 30981 Segmentation fault      (core dumped) ./$a
> > test_timetolive_v6 fails
> > 
> > make v4 test fails the same way. I'm using lksctp-tools from [1]. I
> > have not investigated the cause yet as just found this and thought
> > I
> > should flag first just in case someone has the answer !!!
> 
> test_timetolive(_v6) works for me, In lksctp-tools/src/func_tests, I
> had
> another case failed,./test_1_to_1_events,  it's caused by:
> commit 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b
> Author: Xin Long <lucien.xin@gmail.com>
> Date:   Wed Mar 14 19:05:34 2018 +0800
> 
>     sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT
> 
> It's not kernel's issue, after that commit, ./test_1_to_1_events
> should
> have been improved. or avoid it by 'sysctl -w net.sctp.auth_enable=1'
> 
> I'm not sure why test_timetolive(_v6) is not working in your env.

It appears to depend on the run sequence of the tests. I rebooted the
system, ran test_timetolive_v6, it worked okay.
Ran "sctp-tests run" on a terminal, then ran test_timetolive_v6 at
various intervals on another terminal. Once sctp-tests started the "===
ndatasched ===" sequence, test_timetolive_v6 failed.

> 
> > 
> > On the bright side, I've run the sctp-tests from [2] with no
> > problems
> > and also the selinux-testsuite with my SCTP patch from [3] using an
> > updated Fedora policy from [4] (with sctp support added), all in
> > enforcing mode.
> > 
> > Also the LTP test passed:
> > cd /opt/ltp/
> > cat runtest/syscalls |grep connect01>runtest/connect-syscall
> > ./runltp -pq -f connect-syscall
> > ....
> > 
> > [1] https://github.com/sctp/lksctp-tools
> > [2] https://github.com/sctp/sctp-tests
> > [3] https://marc.info/?l=selinux&m=152156947715709&w=2
> > [4] https://github.com/fedora-selinux/selinux-policy
> > 
> > 
> > > 
> > > --
> > > paul moore
> > > www.paul-moore.com
> > > 
> > > 
> > > 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-
> security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [GIT PULL] SELinux patches for v4.17

[Richard Haines]

On Sun, 2018-04-08 at 19:59 +0100, Richard Haines via Selinux wrote:
> On Mon, 2018-04-09 at 01:43 +0800, Xin Long wrote:
> > On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines
> > <richard_c_haines@btinternet.com> wrote:
> > > On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote:
> > > > On April 7, 2018 1:03:57 PM Linus Torvalds <torvalds@linux-foun
> > > > da
> > > > tion
> > > > .org> wrote:
> > > > On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
> > > > <richard_c_haines@btinternet.com> wrote:
> > > > 
> > > > So please check my resolution, but also somebody should tell me
> > > > "Linus, you're a cretin, sctp_connect() doesn't want that
> > > > security_sctp_bind_connect() at all because it was already done
> > > > by
> > > > XYZ"
> > > > 
> > > > sctp_connect() or __sctp_connect() do not need to call
> > > > security_sctp_bind_connect(). This is because the connect(2)
> > > > call
> > > > will
> > > > handle the checks required via security_socket_connect():
> > > > 
> > > > Ok, thanks, that's exactly what I wanted to get.
> > > > 
> > > > Anyway, somebody should still verify that it all looks good in
> > > > my
> > > > tree, but I don't actually expect the merge to have had any
> > > > issues
> > > > even if the refactoring made it a bit more complex than most
> > > > merges
> > > > are.
> > > > 
> > > > Thanks for the quick response Richard.
> > > > 
> > > > Xin Long looked it over and gave it the thumbs up, I'll take a
> > > > look
> > > > too, but to be honest I trust his SCTP understanding much more
> > > > than
> > > > mine.  I also do weekly tests of each rcX release at a minimum
> > > > so
> > > > if
> > > > something odd pops up I'll make sure you get a fix.
> > > > 
> > > > Thanks again everyone.
> > > 
> > > I built the kernel this morning and sorry to spoil the party, but
> > > I've
> > > run into a problem with lksctp-tools when running the func_tests:
> > > 
> > > make v6test
> > > ..
> > > ..
> > > ./test_timetolive_v6
> > > test_timetolive.c  0 INFO : Creating fillmsg of size 3087
> > > test_timetolive.c  1 PASS : Send a message with timeout
> > > test_timetolive.c  2 PASS : Send a message with no timeout
> > > test_timetolive.c  3 PASS : Send a fragmented message with
> > > timeout
> > > test_timetolive.c  0 INFO :  **  SLEEPING for 3 seconds **
> > > test_timetolive.c  4 BROK : Got a datamsg of unexpected
> > > length:23,
> > > expected length:27
> > > DUMP_CORE sctputil.c: 247
> > > /bin/sh: line 1: 30981 Segmentation fault      (core dumped) ./$a
> > > test_timetolive_v6 fails
> > > 
> > > make v4 test fails the same way. I'm using lksctp-tools from [1].
> > > I
> > > have not investigated the cause yet as just found this and
> > > thought
> > > I
> > > should flag first just in case someone has the answer !!!
> > 
> > test_timetolive(_v6) works for me, In lksctp-tools/src/func_tests,
> > I
> > had
> > another case failed,./test_1_to_1_events,  it's caused by:
> > commit 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b
> > Author: Xin Long <lucien.xin@gmail.com>
> > Date:   Wed Mar 14 19:05:34 2018 +0800
> > 
> >     sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT
> > 
> > It's not kernel's issue, after that commit, ./test_1_to_1_events
> > should
> > have been improved. or avoid it by 'sysctl -w
> > net.sctp.auth_enable=1'
> > 
> > I'm not sure why test_timetolive(_v6) is not working in your env.
> 
> It appears to depend on the run sequence of the tests. I rebooted the
> system, ran test_timetolive_v6, it worked okay.
> Ran "sctp-tests run" on a terminal, then ran test_timetolive_v6 at
> various intervals on another terminal. Once sctp-tests started the
> "===
> ndatasched ===" sequence, test_timetolive_v6 failed.

1) When SCTP is initialised /proc/sys/net/sctp/prsctp_enable = 1
2) When sctp-tests/testcase/regression/extoverflow/test.sh is executed,
on exit it sets prsctp_enable = 0. This seems to be causing the issue
I'm seeing. I can now simulate the problem:

Running from fresh boot:
checksctp
cat /proc/sys/net/sctp/prsctp_enable
1
./test_timetolive_v6
passes
echo 0 > /proc/sys/net/sctp/prsctp_enable
./test_timetolive_v6
fails
echo 1 > /proc/sys/net/sctp/prsctp_enable
./test_timetolive_v6
passes

I've no idea why as yet !!!


> 
> > 
> > > 
> > > On the bright side, I've run the sctp-tests from [2] with no
> > > problems
> > > and also the selinux-testsuite with my SCTP patch from [3] using
> > > an
> > > updated Fedora policy from [4] (with sctp support added), all in
> > > enforcing mode.
> > > 
> > > Also the LTP test passed:
> > > cd /opt/ltp/
> > > cat runtest/syscalls |grep connect01>runtest/connect-syscall
> > > ./runltp -pq -f connect-syscall
> > > ....
> > > 
> > > [1] https://github.com/sctp/lksctp-tools
> > > [2] https://github.com/sctp/sctp-tests
> > > [3] https://marc.info/?l=selinux&m=152156947715709&w=2
> > > [4] https://github.com/fedora-selinux/selinux-policy
> > > 
> > > 
> > > > 
> > > > --
> > > > paul moore
> > > > www.paul-moore.com
> > > > 
> > > > 
> > > > 
> > 
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-
> > security-module" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 

Re: [GIT PULL] SELinux patches for v4.17

[Xin Long]

On Mon, Apr 9, 2018 at 6:44 AM, Richard Haines
<richard_c_haines@btinternet.com> wrote:
> On Sun, 2018-04-08 at 19:59 +0100, Richard Haines via Selinux wrote:
>> On Mon, 2018-04-09 at 01:43 +0800, Xin Long wrote:
>> > On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines
>> > <richard_c_haines@btinternet.com> wrote:
>> > > On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote:
>> > > > On April 7, 2018 1:03:57 PM Linus Torvalds <torvalds@linux-foun
>> > > > da
>> > > > tion
>> > > > .org> wrote:
>> > > > On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
>> > > > <richard_c_haines@btinternet.com> wrote:
>> > > >
>> > > > So please check my resolution, but also somebody should tell me
>> > > > "Linus, you're a cretin, sctp_connect() doesn't want that
>> > > > security_sctp_bind_connect() at all because it was already done
>> > > > by
>> > > > XYZ"
>> > > >
>> > > > sctp_connect() or __sctp_connect() do not need to call
>> > > > security_sctp_bind_connect(). This is because the connect(2)
>> > > > call
>> > > > will
>> > > > handle the checks required via security_socket_connect():
>> > > >
>> > > > Ok, thanks, that's exactly what I wanted to get.
>> > > >
>> > > > Anyway, somebody should still verify that it all looks good in
>> > > > my
>> > > > tree, but I don't actually expect the merge to have had any
>> > > > issues
>> > > > even if the refactoring made it a bit more complex than most
>> > > > merges
>> > > > are.
>> > > >
>> > > > Thanks for the quick response Richard.
>> > > >
>> > > > Xin Long looked it over and gave it the thumbs up, I'll take a
>> > > > look
>> > > > too, but to be honest I trust his SCTP understanding much more
>> > > > than
>> > > > mine.  I also do weekly tests of each rcX release at a minimum
>> > > > so
>> > > > if
>> > > > something odd pops up I'll make sure you get a fix.
>> > > >
>> > > > Thanks again everyone.
>> > >
>> > > I built the kernel this morning and sorry to spoil the party, but
>> > > I've
>> > > run into a problem with lksctp-tools when running the func_tests:
>> > >
>> > > make v6test
>> > > ..
>> > > ..
>> > > ./test_timetolive_v6
>> > > test_timetolive.c  0 INFO : Creating fillmsg of size 3087
>> > > test_timetolive.c  1 PASS : Send a message with timeout
>> > > test_timetolive.c  2 PASS : Send a message with no timeout
>> > > test_timetolive.c  3 PASS : Send a fragmented message with
>> > > timeout
>> > > test_timetolive.c  0 INFO :  **  SLEEPING for 3 seconds **
>> > > test_timetolive.c  4 BROK : Got a datamsg of unexpected
>> > > length:23,
>> > > expected length:27
>> > > DUMP_CORE sctputil.c: 247
>> > > /bin/sh: line 1: 30981 Segmentation fault      (core dumped) ./$a
>> > > test_timetolive_v6 fails
>> > >
>> > > make v4 test fails the same way. I'm using lksctp-tools from [1].
>> > > I
>> > > have not investigated the cause yet as just found this and
>> > > thought
>> > > I
>> > > should flag first just in case someone has the answer !!!
>> >
>> > test_timetolive(_v6) works for me, In lksctp-tools/src/func_tests,
>> > I
>> > had
>> > another case failed,./test_1_to_1_events,  it's caused by:
>> > commit 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b
>> > Author: Xin Long <lucien.xin@gmail.com>
>> > Date:   Wed Mar 14 19:05:34 2018 +0800
>> >
>> >     sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT
>> >
>> > It's not kernel's issue, after that commit, ./test_1_to_1_events
>> > should
>> > have been improved. or avoid it by 'sysctl -w
>> > net.sctp.auth_enable=1'
>> >
>> > I'm not sure why test_timetolive(_v6) is not working in your env.
>>
>> It appears to depend on the run sequence of the tests. I rebooted the
>> system, ran test_timetolive_v6, it worked okay.
>> Ran "sctp-tests run" on a terminal, then ran test_timetolive_v6 at
>> various intervals on another terminal. Once sctp-tests started the
>> "===
>> ndatasched ===" sequence, test_timetolive_v6 failed.
>
> 1) When SCTP is initialised /proc/sys/net/sctp/prsctp_enable = 1
> 2) When sctp-tests/testcase/regression/extoverflow/test.sh is executed,
> on exit it sets prsctp_enable = 0. This seems to be causing the issue
> I'm seeing. I can now simulate the problem:
>
> Running from fresh boot:
> checksctp
> cat /proc/sys/net/sctp/prsctp_enable
> 1
> ./test_timetolive_v6
> passes
> echo 0 > /proc/sys/net/sctp/prsctp_enable
> ./test_timetolive_v6
> fails
> echo 1 > /proc/sys/net/sctp/prsctp_enable
> ./test_timetolive_v6
> passes
I see ...

commit 8ae808eb853e3789b81b8a502cdf22bb01b76880
Author: Xin Long <lucien.xin@gmail.com>
Date:   Sat Oct 8 11:40:16 2016 +0800

    sctp: remove the old ttl expires policy

ttl expire is considered as one of the prsctp policies after
this commit, so prsctp_enable is required. I will think to
update this test case in lksctp-tools.

Thanks for the reproducer.