On Thursday, August 09, 2012 04:50:33 PM Eric Dumazet wrote: > From: Eric Dumazet <edumazet@xxxxxxxxxx> > > commit be9f4a44e7d41cee (ipv4: tcp: remove per net tcp_sock) added a > selinux regression, reported and bisected by John Stultz > > selinux_ip_postroute_compat() expect to find a valid sk->sk_security > pointer, but this field is NULL for unicast_sock > > Fix this by adding a new 'kernel' parameter to security_sk_alloc(), > set to true if socket might already have a valid sk->sk_security > pointer. ip_send_unicast_reply() uses a percpu fake socket, so the first > call to security_sk_alloc() will populate sk->sk_security pointer, > subsequent ones will reuse existing context. > > Reported-by: John Stultz <johnstul@xxxxxxxxxx> > Bisected-by: John Stultz <johnstul@xxxxxxxxxx> > Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx> > Cc: Paul Moore <paul@xxxxxxxxxxxxxx> > Cc: Eric Paris <eparis@xxxxxxxxxxxxxx> > Cc: "Serge E. Hallyn" <serge@xxxxxxxxxx> ... > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c > index 76dde25..b233d6e 100644 > --- a/net/ipv4/ip_output.c > +++ b/net/ipv4/ip_output.c > @@ -1524,6 +1524,8 @@ void ip_send_unicast_reply(struct net *net, struct > sk_buff *skb, __be32 daddr, sk->sk_priority = skb->priority; > sk->sk_protocol = ip_hdr(skb)->protocol; > sk->sk_bound_dev_if = arg->bound_dev_if; > + if (security_sk_alloc(sk, PF_INET, GFP_ATOMIC, true)) > + goto out; > sock_net_set(sk, net); > __skb_queue_head_init(&sk->sk_write_queue); > sk->sk_sndbuf = sysctl_wmem_default; Is is possible to do the call to security_sk_alloc() in the ip_init() function or does the per-cpu nature of the socket make this a pain? -- paul moore www.paul-moore.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
