Fix selinux sock_graft hook for AF_ALG address family (rhbz 1115120)
This commit is contained in:
Josh Boyer
parent
36ebbb459e
commit
7d60e1ecb9
|
|
@ -642,6 +642,9 @@ Patch25118: sched-fix-sched_setparam-policy-1-logic.patch
|
|||
#CVE-2014-5045 rhbz 1122472 1122482
|
||||
Patch25119: fs-umount-on-symlink-leaks-mnt-count.patch
|
||||
|
||||
#rhbz 1115120
|
||||
Patch25120: selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
|
||||
|
||||
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
||||
Patch30000: kernel-arm64.patch
|
||||
|
||||
|
|
@ -1370,6 +1373,9 @@ ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch
|
|||
#CVE-2014-5045 rhbz 1122472 1122482
|
||||
ApplyPatch fs-umount-on-symlink-leaks-mnt-count.patch
|
||||
|
||||
#rhbz 1115120
|
||||
ApplyPatch selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
|
||||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
|
|
@ -2252,6 +2258,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Fri Jul 25 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix selinux sock_graft hook for AF_ALG address family (rhbz 1115120)
|
||||
|
||||
* Thu Jul 24 2014 Kyle McMartin <kyle@fedoraproject.org>
|
||||
- kernel-arm64.patch: update from upstream git.
|
||||
- arm64: update config-arm64 to include PCI support.
|
||||
|
|
|
|||
|
|
@ -0,0 +1,75 @@
|
|||
Bugzilla: 1115120
|
||||
Upstream-status: sent for 3.16
|
||||
|
||||
From 4da6daf4d3df5a977e4623963f141a627fd2efce Mon Sep 17 00:00:00 2001
|
||||
From: Paul Moore <pmoore@redhat.com>
|
||||
Date: Thu, 10 Jul 2014 10:17:48 -0400
|
||||
Subject: [PATCH] selinux: fix the default socket labeling in sock_graft()
|
||||
|
||||
The sock_graft() hook has special handling for AF_INET, AF_INET, and
|
||||
AF_UNIX sockets as those address families have special hooks which
|
||||
label the sock before it is attached its associated socket.
|
||||
Unfortunately, the sock_graft() hook was missing a default approach
|
||||
to labeling sockets which meant that any other address family which
|
||||
made use of connections or the accept() syscall would find the
|
||||
returned socket to be in an "unlabeled" state. This was recently
|
||||
demonstrated by the kcrypto/AF_ALG subsystem and the newly released
|
||||
cryptsetup package (cryptsetup v1.6.5 and later).
|
||||
|
||||
This patch preserves the special handling in selinux_sock_graft(),
|
||||
but adds a default behavior - setting the sock's label equal to the
|
||||
associated socket - which resolves the problem with AF_ALG and
|
||||
presumably any other address family which makes use of accept().
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
||||
Tested-by: Milan Broz <gmazyland@gmail.com>
|
||||
---
|
||||
include/linux/security.h | 5 ++++-
|
||||
security/selinux/hooks.c | 13 +++++++++++--
|
||||
2 files changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/include/linux/security.h b/include/linux/security.h
|
||||
index 6478ce3..794be73 100644
|
||||
--- a/include/linux/security.h
|
||||
+++ b/include/linux/security.h
|
||||
@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
|
||||
* Retrieve the LSM-specific secid for the sock to enable caching of network
|
||||
* authorizations.
|
||||
* @sock_graft:
|
||||
- * Sets the socket's isec sid to the sock's sid.
|
||||
+ * This hook is called in response to a newly created sock struct being
|
||||
+ * grafted onto an existing socket and allows the security module to
|
||||
+ * perform whatever security attribute management is necessary for both
|
||||
+ * the sock and socket.
|
||||
* @inet_conn_request:
|
||||
* Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
|
||||
* @inet_csk_clone:
|
||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
||||
index 336f0a0..b3a6754 100644
|
||||
--- a/security/selinux/hooks.c
|
||||
+++ b/security/selinux/hooks.c
|
||||
@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
|
||||
struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
|
||||
struct sk_security_struct *sksec = sk->sk_security;
|
||||
|
||||
- if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
|
||||
- sk->sk_family == PF_UNIX)
|
||||
+ switch (sk->sk_family) {
|
||||
+ case PF_INET:
|
||||
+ case PF_INET6:
|
||||
+ case PF_UNIX:
|
||||
isec->sid = sksec->sid;
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* by default there is no special labeling mechanism for the
|
||||
+ * sksec label so inherit the label from the parent socket */
|
||||
+ BUG_ON(sksec->sid != SECINITSID_UNLABELED);
|
||||
+ sksec->sid = isec->sid;
|
||||
+ }
|
||||
sksec->sclass = isec->sclass;
|
||||
}
|
||||
|
||||
--
|
||||
1.9.3
|
||||
|
||||
Loading…
Reference in New Issue