diff options
| author |   Richard Haines <richard_c_haines@btinternet.com> | 2018-02-13 20:56:24 +0000 |
|---|---|---|
| committer |   Paul Moore <paul@paul-moore.com> | 2018-02-26 17:45:23 -0500 |
| commit | 2277c7cd75e39783eeb7512a6c35f8b4abbe1039 (patch) | |
| tree | 247a9b36acd431330a479ccdcb9b277f0b4d4973 /net/sctp/sm_statefuns.c | |
| parent | sctp: Add ip option support (diff) | |
| download | linux-dev-2277c7cd75e39783eeb7512a6c35f8b4abbe1039.tar.xz linux-dev-2277c7cd75e39783eeb7512a6c35f8b4abbe1039.zip | |
sctp: Add LSM hooks
Add security hooks allowing security modules to exercise access control
over SCTP.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'net/sctp/sm_statefuns.c')
| -rw-r--r-- | net/sctp/sm_statefuns.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index eb7905ffe5f2..42659ab68c38 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -321,6 +321,11 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, struct sctp_packet *packet; int len; + /* Update socket peer label if first association. */ + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, + chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* 6.10 Bundling * An endpoint MUST NOT bundle INIT, INIT ACK or * SHUTDOWN COMPLETE with any other chunks. @@ -908,6 +913,9 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, */ sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); + /* Set peer label for connection. */ + security_inet_conn_established(ep->base.sk, chunk->skb); + /* RFC 2960 5.1 Normal Establishment of an Association * * E) Upon reception of the COOKIE ACK, endpoint "A" will move @@ -1436,6 +1444,11 @@ static enum sctp_disposition sctp_sf_do_unexpected_init( struct sctp_packet *packet; int len; + /* Update socket peer label if first association. */ + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, + chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* 6.10 Bundling * An endpoint MUST NOT bundle INIT, INIT ACK or * SHUTDOWN COMPLETE with any other chunks. @@ -2106,6 +2119,11 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook( } } + /* Update socket peer label if first association. */ + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, + chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Set temp so that it won't be added into hashtable */ new_asoc->temp = 1; |