diff options
Diffstat (limited to 'crypto-properly-label-AF_ALG-socket.patch')
-rw-r--r-- | crypto-properly-label-AF_ALG-socket.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/crypto-properly-label-AF_ALG-socket.patch b/crypto-properly-label-AF_ALG-socket.patch new file mode 100644 index 00000000..b42186bd --- /dev/null +++ b/crypto-properly-label-AF_ALG-socket.patch @@ -0,0 +1,44 @@ +Th AF_ALG socket was missing a security label (e.g. SELinux) +which means that socket was in "unlabeled" state. + +This was recently demonstrated in the cryptsetup package +(cryptsetup v1.6.5 and later.) +See https://bugzilla.redhat.com/show_bug.cgi?id=1115120 + +This patch clones the sock's label from the parent sock +and resolves the issue (similar to AF_BLUETOOTH protocol family). + +Cc: stable@vger.kernel.org +Signed-off-by: Milan Broz <gmazyland@gmail.com> +--- + crypto/af_alg.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 966f893..6a3ad80 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -21,6 +21,7 @@ + #include <linux/module.h> + #include <linux/net.h> + #include <linux/rwsem.h> ++#include <linux/security.h> + + struct alg_type_list { + const struct af_alg_type *type; +@@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock) + + sock_init_data(newsock, sk2); + sock_graft(sk2, newsock); ++ security_sk_clone(sk, sk2); + + err = type->accept(ask->private, sk2); + if (err) { +-- +2.0.1 + +_______________________________________________ +Selinux mailing list +Selinux@tycho.nsa.gov +To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. +To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
\ No newline at end of file |