1 files changed, 0 insertions, 75 deletions

diff --git a/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch b/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
deleted file mode 100644
index bf8d534f..00000000
--- a/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-Bugzilla: 1115120
-Upstream-status: sent for 3.16
-
-From 4da6daf4d3df5a977e4623963f141a627fd2efce Mon Sep 17 00:00:00 2001
-From: Paul Moore <pmoore@redhat.com>
-Date: Thu, 10 Jul 2014 10:17:48 -0400
-Subject: [PATCH] selinux: fix the default socket labeling in sock_graft()
-
-The sock_graft() hook has special handling for AF_INET, AF_INET, and
-AF_UNIX sockets as those address families have special hooks which
-label the sock before it is attached its associated socket.
-Unfortunately, the sock_graft() hook was missing a default approach
-to labeling sockets which meant that any other address family which
-made use of connections or the accept() syscall would find the
-returned socket to be in an "unlabeled" state.  This was recently
-demonstrated by the kcrypto/AF_ALG subsystem and the newly released
-cryptsetup package (cryptsetup v1.6.5 and later).
-
-This patch preserves the special handling in selinux_sock_graft(),
-but adds a default behavior - setting the sock's label equal to the
-associated socket - which resolves the problem with AF_ALG and
-presumably any other address family which makes use of accept().
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Paul Moore <pmoore@redhat.com>
-Tested-by: Milan Broz <gmazyland@gmail.com>
----
- include/linux/security.h |  5 ++++-
- security/selinux/hooks.c | 13 +++++++++++--
- 2 files changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 6478ce3..794be73 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
-  *	Retrieve the LSM-specific secid for the sock to enable caching of network
-  *	authorizations.
-  * @sock_graft:
-- *	Sets the socket's isec sid to the sock's sid.
-+ *	This hook is called in response to a newly created sock struct being
-+ *	grafted onto an existing socket and allows the security module to
-+ *	perform whatever security attribute management is necessary for both
-+ *	the sock and socket.
-  * @inet_conn_request:
-  *	Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
-  * @inet_csk_clone:
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 336f0a0..b3a6754 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
- 	struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
- 	struct sk_security_struct *sksec = sk->sk_security;
- 
--	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
--	    sk->sk_family == PF_UNIX)
-+	switch (sk->sk_family) {
-+	case PF_INET:
-+	case PF_INET6:
-+	case PF_UNIX:
- 		isec->sid = sksec->sid;
-+		break;
-+	default:
-+		/* by default there is no special labeling mechanism for the
-+		 * sksec label so inherit the label from the parent socket */
-+		BUG_ON(sksec->sid != SECINITSID_UNLABELED);
-+		sksec->sid = isec->sid;
-+	}
- 	sksec->sclass = isec->sclass;
- }
- 
--- 
-1.9.3
-