[kernel/f21] Fix selinux sock_graft hook for AF_ALG address family (rhbz 1115120)

Josh Boyer jwboyer at fedoraproject.org
Fri Jul 25 12:18:21 UTC 2014 

commit 7d60e1ecb928c55bcebc348508606699815e00f9
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Fri Jul 25 08:18:02 2014 -0400

    Fix selinux sock_graft hook for AF_ALG address family (rhbz 1115120)

 kernel.spec                                        |    9 +++
 ...-4da6daf4d3df5a977e4623963f141a627fd2efce.patch |   75 ++++++++++++++++++++
 2 files changed, 84 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index ce514e7..8840dc8 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -642,6 +642,9 @@ Patch25118: sched-fix-sched_setparam-policy-1-logic.patch
 #CVE-2014-5045 rhbz 1122472 1122482
 Patch25119: fs-umount-on-symlink-leaks-mnt-count.patch
 
+#rhbz 1115120
+Patch25120: selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
+
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
 
@@ -1370,6 +1373,9 @@ ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch
 #CVE-2014-5045 rhbz 1122472 1122482
 ApplyPatch fs-umount-on-symlink-leaks-mnt-count.patch
 
+#rhbz 1115120
+ApplyPatch selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2252,6 +2258,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Fri Jul 25 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- Fix selinux sock_graft hook for AF_ALG address family (rhbz 1115120)
+
 * Thu Jul 24 2014 Kyle McMartin <kyle at fedoraproject.org>
 - kernel-arm64.patch: update from upstream git.
 - arm64: update config-arm64 to include PCI support.
diff --git a/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch b/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
new file mode 100644
index 0000000..bf8d534
--- /dev/null
+++ b/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
@@ -0,0 +1,75 @@
+Bugzilla: 1115120
+Upstream-status: sent for 3.16
+
+From 4da6daf4d3df5a977e4623963f141a627fd2efce Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore at redhat.com>
+Date: Thu, 10 Jul 2014 10:17:48 -0400
+Subject: [PATCH] selinux: fix the default socket labeling in sock_graft()
+
+The sock_graft() hook has special handling for AF_INET, AF_INET, and
+AF_UNIX sockets as those address families have special hooks which
+label the sock before it is attached its associated socket.
+Unfortunately, the sock_graft() hook was missing a default approach
+to labeling sockets which meant that any other address family which
+made use of connections or the accept() syscall would find the
+returned socket to be in an "unlabeled" state.  This was recently
+demonstrated by the kcrypto/AF_ALG subsystem and the newly released
+cryptsetup package (cryptsetup v1.6.5 and later).
+
+This patch preserves the special handling in selinux_sock_graft(),
+but adds a default behavior - setting the sock's label equal to the
+associated socket - which resolves the problem with AF_ALG and
+presumably any other address family which makes use of accept().
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Paul Moore <pmoore at redhat.com>
+Tested-by: Milan Broz <gmazyland at gmail.com>
+---
+ include/linux/security.h |  5 ++++-
+ security/selinux/hooks.c | 13 +++++++++++--
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 6478ce3..794be73 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
+  *	Retrieve the LSM-specific secid for the sock to enable caching of network
+  *	authorizations.
+  * @sock_graft:
+- *	Sets the socket's isec sid to the sock's sid.
++ *	This hook is called in response to a newly created sock struct being
++ *	grafted onto an existing socket and allows the security module to
++ *	perform whatever security attribute management is necessary for both
++ *	the sock and socket.
+  * @inet_conn_request:
+  *	Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
+  * @inet_csk_clone:
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 336f0a0..b3a6754 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
+ 	struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
+ 	struct sk_security_struct *sksec = sk->sk_security;
+ 
+-	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
+-	    sk->sk_family == PF_UNIX)
++	switch (sk->sk_family) {
++	case PF_INET:
++	case PF_INET6:
++	case PF_UNIX:
+ 		isec->sid = sksec->sid;
++		break;
++	default:
++		/* by default there is no special labeling mechanism for the
++		 * sksec label so inherit the label from the parent socket */
++		BUG_ON(sksec->sid != SECINITSID_UNLABELED);
++		sksec->sid = isec->sid;
++	}
+ 	sksec->sclass = isec->sclass;
+ }
+ 
+-- 
+1.9.3
+

More information about the scm-commits mailing list