On Mon, Apr 23, 2018 at 9:30 AM, David Herrmann <dh.herrmann@xxxxxxxxx> wrote:
> Use the newly created LSM-hook for unix_socketpair(). The default hook
> return-value is 0, so behavior stays the same unless LSMs start using
> this hook.
>
> Signed-off-by: David Herrmann <dh.herrmann@xxxxxxxxx>
> ---
> net/unix/af_unix.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index 68bb70a62afe..bc9705ace9b1 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -1371,6 +1371,11 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
> static int unix_socketpair(struct socket *socka, struct socket *sockb)
> {
> struct sock *ska = socka->sk, *skb = sockb->sk;
> + int err;
> +
> + err = security_unix_stream_socketpair(ska, skb);
> + if (err)
> + return err;
I recognize that AF_UNIX is really the only protocol that supports
socketpair(2) at the moment, but I like to avoid protocol specific LSM
hooks whenever possible. Unless someone can think of a good
objection, I would prefer to see the hook placed in __sys_socketpair()
instead (and obviously drop the "unix_stream" portion from the hook
name).
> /* Join our sockets back to back */
> sock_hold(ska);
> --
> 2.17.0
--
paul moore
www.paul-moore.com
