diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2014-07-30 11:21:58 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2014-07-30 11:22:18 -0400 |
commit | 74a17995ecd302938e44188a32b59abbe4cd0084 (patch) | |
tree | 1a59caa0dd592ef06a07b61c567864fa6f86eeb9 /selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch | |
parent | b8a1bd45939e529fbc847a18ae58b696cf5c5157 (diff) | |
download | kernel-74a17995ecd302938e44188a32b59abbe4cd0084.tar.gz kernel-74a17995ecd302938e44188a32b59abbe4cd0084.tar.xz kernel-74a17995ecd302938e44188a32b59abbe4cd0084.zip |
Apply different patch from Milan Broz to fix LUKS partitions (rhbz 1115120)
Diffstat (limited to 'selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch')
-rw-r--r-- | selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch | 75 |
1 files changed, 0 insertions, 75 deletions
diff --git a/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch b/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch deleted file mode 100644 index bf8d534f..00000000 --- a/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch +++ /dev/null @@ -1,75 +0,0 @@ -Bugzilla: 1115120 -Upstream-status: sent for 3.16 - -From 4da6daf4d3df5a977e4623963f141a627fd2efce Mon Sep 17 00:00:00 2001 -From: Paul Moore <pmoore@redhat.com> -Date: Thu, 10 Jul 2014 10:17:48 -0400 -Subject: [PATCH] selinux: fix the default socket labeling in sock_graft() - -The sock_graft() hook has special handling for AF_INET, AF_INET, and -AF_UNIX sockets as those address families have special hooks which -label the sock before it is attached its associated socket. -Unfortunately, the sock_graft() hook was missing a default approach -to labeling sockets which meant that any other address family which -made use of connections or the accept() syscall would find the -returned socket to be in an "unlabeled" state. This was recently -demonstrated by the kcrypto/AF_ALG subsystem and the newly released -cryptsetup package (cryptsetup v1.6.5 and later). - -This patch preserves the special handling in selinux_sock_graft(), -but adds a default behavior - setting the sock's label equal to the -associated socket - which resolves the problem with AF_ALG and -presumably any other address family which makes use of accept(). - -Cc: stable@vger.kernel.org -Signed-off-by: Paul Moore <pmoore@redhat.com> -Tested-by: Milan Broz <gmazyland@gmail.com> ---- - include/linux/security.h | 5 ++++- - security/selinux/hooks.c | 13 +++++++++++-- - 2 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/include/linux/security.h b/include/linux/security.h -index 6478ce3..794be73 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) - * Retrieve the LSM-specific secid for the sock to enable caching of network - * authorizations. - * @sock_graft: -- * Sets the socket's isec sid to the sock's sid. -+ * This hook is called in response to a newly created sock struct being -+ * grafted onto an existing socket and allows the security module to -+ * perform whatever security attribute management is necessary for both -+ * the sock and socket. - * @inet_conn_request: - * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid. - * @inet_csk_clone: -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 336f0a0..b3a6754 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent) - struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; - struct sk_security_struct *sksec = sk->sk_security; - -- if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || -- sk->sk_family == PF_UNIX) -+ switch (sk->sk_family) { -+ case PF_INET: -+ case PF_INET6: -+ case PF_UNIX: - isec->sid = sksec->sid; -+ break; -+ default: -+ /* by default there is no special labeling mechanism for the -+ * sksec label so inherit the label from the parent socket */ -+ BUG_ON(sksec->sid != SECINITSID_UNLABELED); -+ sksec->sid = isec->sid; -+ } - sksec->sclass = isec->sclass; - } - --- -1.9.3 - |