76 lines
2.9 KiB
Diff
76 lines
2.9 KiB
Diff
|
Bugzilla: 1115120
|
||
|
|
Upstream-status: sent for 3.16
|
||
|
|
|
||
|
|
From 4da6daf4d3df5a977e4623963f141a627fd2efce Mon Sep 17 00:00:00 2001
|
||
|
|
From: Paul Moore <pmoore@redhat.com>
|
||
|
|
Date: Thu, 10 Jul 2014 10:17:48 -0400
|
||
|
|
Subject: [PATCH] selinux: fix the default socket labeling in sock_graft()
|
||
|
|
|
||
|
|
The sock_graft() hook has special handling for AF_INET, AF_INET, and
|
||
|
|
AF_UNIX sockets as those address families have special hooks which
|
||
|
|
label the sock before it is attached its associated socket.
|
||
|
|
Unfortunately, the sock_graft() hook was missing a default approach
|
||
|
|
to labeling sockets which meant that any other address family which
|
||
|
|
made use of connections or the accept() syscall would find the
|
||
|
|
returned socket to be in an "unlabeled" state. This was recently
|
||
|
|
demonstrated by the kcrypto/AF_ALG subsystem and the newly released
|
||
|
|
cryptsetup package (cryptsetup v1.6.5 and later).
|
||
|
|
|
||
|
|
This patch preserves the special handling in selinux_sock_graft(),
|
||
|
|
but adds a default behavior - setting the sock's label equal to the
|
||
|
|
associated socket - which resolves the problem with AF_ALG and
|
||
|
|
presumably any other address family which makes use of accept().
|
||
|
|
|
||
|
|
Cc: stable@vger.kernel.org
|
||
|
|
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
||
|
|
Tested-by: Milan Broz <gmazyland@gmail.com>
|
||
|
|
---
|
||
|
|
include/linux/security.h | 5 ++++-
|
||
|
|
security/selinux/hooks.c | 13 +++++++++++--
|
||
|
|
2 files changed, 15 insertions(+), 3 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/include/linux/security.h b/include/linux/security.h
|
||
|
|
index 6478ce3..794be73 100644
|
||
|
|
--- a/include/linux/security.h
|
||
|
|
+++ b/include/linux/security.h
|
||
|
|
@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
|
||
|
|
* Retrieve the LSM-specific secid for the sock to enable caching of network
|
||
|
|
* authorizations.
|
||
|
|
* @sock_graft:
|
||
|
|
- * Sets the socket's isec sid to the sock's sid.
|
||
|
|
+ * This hook is called in response to a newly created sock struct being
|
||
|
|
+ * grafted onto an existing socket and allows the security module to
|
||
|
|
+ * perform whatever security attribute management is necessary for both
|
||
|
|
+ * the sock and socket.
|
||
|
|
* @inet_conn_request:
|
||
|
|
* Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
|
||
|
|
* @inet_csk_clone:
|
||
|
|
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
||
|
|
index 336f0a0..b3a6754 100644
|
||
|
|
--- a/security/selinux/hooks.c
|
||
|
|
+++ b/security/selinux/hooks.c
|
||
|
|
@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
|
||
|
|
struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
|
||
|
|
struct sk_security_struct *sksec = sk->sk_security;
|
||
|
|
|
||
|
|
- if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
|
||
|
|
- sk->sk_family == PF_UNIX)
|
||
|
|
+ switch (sk->sk_family) {
|
||
|
|
+ case PF_INET:
|
||
|
|
+ case PF_INET6:
|
||
|
|
+ case PF_UNIX:
|
||
|
|
isec->sid = sksec->sid;
|
||
|
|
+ break;
|
||
|
|
+ default:
|
||
|
|
+ /* by default there is no special labeling mechanism for the
|
||
|
|
+ * sksec label so inherit the label from the parent socket */
|
||
|
|
+ BUG_ON(sksec->sid != SECINITSID_UNLABELED);
|
||
|
|
+ sksec->sid = isec->sid;
|
||
|
|
+ }
|
||
|
|
sksec->sclass = isec->sclass;
|
||
|
|
}
|
||
|
|
|
||
|
|
--
|
||
|
|
1.9.3
|
||
|
|
|