1 files changed, 44 insertions, 0 deletions

diff --git a/crypto-properly-label-AF_ALG-socket.patch b/crypto-properly-label-AF_ALG-socket.patch
new file mode 100644
index 00000000..b42186bd
--- /dev/null
+++ b/crypto-properly-label-AF_ALG-socket.patch
@@ -0,0 +1,44 @@
+Th AF_ALG socket was missing a security label (e.g. SELinux)
+which means that socket was in "unlabeled" state.
+
+This was recently demonstrated in the cryptsetup package
+(cryptsetup v1.6.5 and later.)
+See https://bugzilla.redhat.com/show_bug.cgi?id=1115120
+
+This patch clones the sock's label from the parent sock
+and resolves the issue (similar to AF_BLUETOOTH protocol family).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Milan Broz <gmazyland@gmail.com>
+---
+ crypto/af_alg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index 966f893..6a3ad80 100644
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -21,6 +21,7 @@
+ #include <linux/module.h>
+ #include <linux/net.h>
+ #include <linux/rwsem.h>
++#include <linux/security.h>
+ 
+ struct alg_type_list {
+ 	const struct af_alg_type *type;
+@@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock)
+ 
+ 	sock_init_data(newsock, sk2);
+ 	sock_graft(sk2, newsock);
++	security_sk_clone(sk, sk2);
+ 
+ 	err = type->accept(ask->private, sk2);
+ 	if (err) {
+-- 
+2.0.1
+
+_______________________________________________
+Selinux mailing list
+Selinux@tycho.nsa.gov
+To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
+To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
\ No newline at end of file