summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosh Boyer <jwboyer@fedoraproject.org>2014-07-25 08:18:02 -0400
committerJosh Boyer <jwboyer@fedoraproject.org>2014-07-25 08:18:07 -0400
commitd35b963d10bf461f1f3b5dd10979f895101afc9b (patch)
treef69eff7850227a776003ec6e03a42be7a694396b
parentf12a594c2d6e1a3cb7e9afcc917dcc41b7a27bd3 (diff)
downloadkernel-d35b963d10bf461f1f3b5dd10979f895101afc9b.tar.gz
kernel-d35b963d10bf461f1f3b5dd10979f895101afc9b.tar.xz
kernel-d35b963d10bf461f1f3b5dd10979f895101afc9b.zip
Fix selinux sock_graft hook for AF_ALG address family (rhbz 1115120)
-rw-r--r--kernel.spec9
-rw-r--r--selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch75
2 files changed, 84 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec
index ce514e750..8840dc8e9 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -642,6 +642,9 @@ Patch25118: sched-fix-sched_setparam-policy-1-logic.patch
#CVE-2014-5045 rhbz 1122472 1122482
Patch25119: fs-umount-on-symlink-leaks-mnt-count.patch
+#rhbz 1115120
+Patch25120: selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
+
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
Patch30000: kernel-arm64.patch
@@ -1370,6 +1373,9 @@ ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch
#CVE-2014-5045 rhbz 1122472 1122482
ApplyPatch fs-umount-on-symlink-leaks-mnt-count.patch
+#rhbz 1115120
+ApplyPatch selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
+
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2252,6 +2258,9 @@ fi
# ||----w |
# || ||
%changelog
+* Fri Jul 25 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- Fix selinux sock_graft hook for AF_ALG address family (rhbz 1115120)
+
* Thu Jul 24 2014 Kyle McMartin <kyle@fedoraproject.org>
- kernel-arm64.patch: update from upstream git.
- arm64: update config-arm64 to include PCI support.
diff --git a/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch b/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
new file mode 100644
index 000000000..bf8d534fc
--- /dev/null
+++ b/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
@@ -0,0 +1,75 @@
+Bugzilla: 1115120
+Upstream-status: sent for 3.16
+
+From 4da6daf4d3df5a977e4623963f141a627fd2efce Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore@redhat.com>
+Date: Thu, 10 Jul 2014 10:17:48 -0400
+Subject: [PATCH] selinux: fix the default socket labeling in sock_graft()
+
+The sock_graft() hook has special handling for AF_INET, AF_INET, and
+AF_UNIX sockets as those address families have special hooks which
+label the sock before it is attached its associated socket.
+Unfortunately, the sock_graft() hook was missing a default approach
+to labeling sockets which meant that any other address family which
+made use of connections or the accept() syscall would find the
+returned socket to be in an "unlabeled" state. This was recently
+demonstrated by the kcrypto/AF_ALG subsystem and the newly released
+cryptsetup package (cryptsetup v1.6.5 and later).
+
+This patch preserves the special handling in selinux_sock_graft(),
+but adds a default behavior - setting the sock's label equal to the
+associated socket - which resolves the problem with AF_ALG and
+presumably any other address family which makes use of accept().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Tested-by: Milan Broz <gmazyland@gmail.com>
+---
+ include/linux/security.h | 5 ++++-
+ security/selinux/hooks.c | 13 +++++++++++--
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 6478ce3..794be73 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
+ * Retrieve the LSM-specific secid for the sock to enable caching of network
+ * authorizations.
+ * @sock_graft:
+- * Sets the socket's isec sid to the sock's sid.
++ * This hook is called in response to a newly created sock struct being
++ * grafted onto an existing socket and allows the security module to
++ * perform whatever security attribute management is necessary for both
++ * the sock and socket.
+ * @inet_conn_request:
+ * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
+ * @inet_csk_clone:
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 336f0a0..b3a6754 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
+ struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
+ struct sk_security_struct *sksec = sk->sk_security;
+
+- if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
+- sk->sk_family == PF_UNIX)
++ switch (sk->sk_family) {
++ case PF_INET:
++ case PF_INET6:
++ case PF_UNIX:
+ isec->sid = sksec->sid;
++ break;
++ default:
++ /* by default there is no special labeling mechanism for the
++ * sksec label so inherit the label from the parent socket */
++ BUG_ON(sksec->sid != SECINITSID_UNLABELED);
++ sksec->sid = isec->sid;
++ }
+ sksec->sclass = isec->sclass;
+ }
+
+--
+1.9.3
+