• Paul Moore's avatar
    lsm: make security_socket_getpeersec_stream() sockptr_t safe · b10b9c34
    Paul Moore authored
    Commit 4ff09db1 ("bpf: net: Change sk_getsockopt() to take the
    sockptr_t argument") made it possible to call sk_getsockopt()
    with both user and kernel address space buffers through the use of
    the sockptr_t type.  Unfortunately at the time of conversion the
    security_socket_getpeersec_stream() LSM hook was written to only
    accept userspace buffers, and in a desire to avoid having to change
    the LSM hook the commit author simply passed the sockptr_t's
    userspace buffer pointer.  Since the only sk_getsockopt() callers
    at the time of conversion which used kernel sockptr_t buffers did
    not allow SO_PEERSEC, and hence the
    security_socket_getpeersec_stream() hook, this was acceptable but
    also very fragile as future changes presented the possibility of
    silently passing kernel space pointers to the LSM hook.
    
    There are several ways to protect against this, including careful
    code review of future commits, but since relying on code review to
    catch bugs is a recipe for disaster and the upstream eBPF maintainer
    is "strongly against defensive programming", this patch updates the
    LSM hook, and all of the implementations to support sockptr_t and
    safely handle both user and kernel space buffers.
    Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    Acked-by: default avatarJohn Johansen <john.johansen@canonical.com>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    b10b9c34
sock.c 97.5 KB