On 07/10/2014 11:37 AM, Paul Moore wrote:
> The sock_graft() hook has special handling for AF_INET, AF_INET, and
> AF_UNIX sockets as those address families have special hooks which
> label the sock before it is attached its associated socket.
> Unfortunately, the sock_graft() hook was missing a default approach
> to labeling sockets which meant that any other address family which
> made use of connections or the accept() syscall would find the
> returned socket to be in an "unlabeled" state. This was recently
> demonstrated by the kcrypto/AF_ALG subsystem and the newly released
> cryptsetup package (cryptsetup v1.6.5 and later).
>
> This patch preserves the special handling in selinux_sock_graft(),
> but adds a default behavior - setting the sock's label equal to the
> associated socket - which resolves the problem with AF_ALG and
> presumably any other address family which makes use of accept().
>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
> Tested-by: Milan Broz <gmazyland@xxxxxxxxx>
> ---
> security/selinux/hooks.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 336f0a0..39f16d0 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4499,9 +4499,17 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
> struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
> struct sk_security_struct *sksec = sk->sk_security;
>
> - if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
> - sk->sk_family == PF_UNIX)
> + switch (sk->sk_family) {
> + case PF_INET:
> + case PF_INET6:
> + case PF_UNIX:
> isec->sid = sksec->sid;
> + break;
> + default:
> + /* by default there is no special labeling mechanism for the
> + * sock label so inherit the label from the parent socket */
> + sksec->sid = isec->sid;
> + }
Wait...why would we assign isec->sid from sksec->sid in the former case
but the reverse here? Shouldn't we be setting isec->sid in all cases?
The hook documentation in include/linux/security.h unfortunately does
not describe the actual abstract behavior but rather describes the
implementation in the inet case.
> sksec->sclass = isec->sclass;
> }
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
