Apply different patch from Milan Broz to fix LUKS partitions (rhbz 1115120)
This commit is contained in:
parent
d0ba439bf2
commit
082b8c8ad3
44
crypto-properly-label-AF_ALG-socket.patch
Normal file
44
crypto-properly-label-AF_ALG-socket.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
Th AF_ALG socket was missing a security label (e.g. SELinux)
|
||||||
|
which means that socket was in "unlabeled" state.
|
||||||
|
|
||||||
|
This was recently demonstrated in the cryptsetup package
|
||||||
|
(cryptsetup v1.6.5 and later.)
|
||||||
|
See https://bugzilla.redhat.com/show_bug.cgi?id=1115120
|
||||||
|
|
||||||
|
This patch clones the sock's label from the parent sock
|
||||||
|
and resolves the issue (similar to AF_BLUETOOTH protocol family).
|
||||||
|
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Signed-off-by: Milan Broz <gmazyland@gmail.com>
|
||||||
|
---
|
||||||
|
crypto/af_alg.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
|
||||||
|
index 966f893..6a3ad80 100644
|
||||||
|
--- a/crypto/af_alg.c
|
||||||
|
+++ b/crypto/af_alg.c
|
||||||
|
@@ -21,6 +21,7 @@
|
||||||
|
#include <linux/module.h>
|
||||||
|
#include <linux/net.h>
|
||||||
|
#include <linux/rwsem.h>
|
||||||
|
+#include <linux/security.h>
|
||||||
|
|
||||||
|
struct alg_type_list {
|
||||||
|
const struct af_alg_type *type;
|
||||||
|
@@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock)
|
||||||
|
|
||||||
|
sock_init_data(newsock, sk2);
|
||||||
|
sock_graft(sk2, newsock);
|
||||||
|
+ security_sk_clone(sk, sk2);
|
||||||
|
|
||||||
|
err = type->accept(ask->private, sk2);
|
||||||
|
if (err) {
|
||||||
|
--
|
||||||
|
2.0.1
|
||||||
|
|
||||||
|
_______________________________________________
|
||||||
|
Selinux mailing list
|
||||||
|
Selinux@tycho.nsa.gov
|
||||||
|
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
|
||||||
|
To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
|
@ -644,7 +644,7 @@ Patch25110: 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
|
|||||||
Patch25118: sched-fix-sched_setparam-policy-1-logic.patch
|
Patch25118: sched-fix-sched_setparam-policy-1-logic.patch
|
||||||
|
|
||||||
#rhbz 1115120
|
#rhbz 1115120
|
||||||
Patch25120: selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
|
Patch25120: crypto-properly-label-AF_ALG-socket.patch
|
||||||
|
|
||||||
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
||||||
Patch30000: kernel-arm64.patch
|
Patch30000: kernel-arm64.patch
|
||||||
@ -1378,7 +1378,7 @@ ApplyPatch 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
|
|||||||
ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch
|
ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch
|
||||||
|
|
||||||
#rhbz 1115120
|
#rhbz 1115120
|
||||||
ApplyPatch selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
|
ApplyPatch crypto-properly-label-AF_ALG-socket.patch
|
||||||
|
|
||||||
%if 0%{?aarch64patches}
|
%if 0%{?aarch64patches}
|
||||||
ApplyPatch kernel-arm64.patch
|
ApplyPatch kernel-arm64.patch
|
||||||
@ -2265,6 +2265,9 @@ fi
|
|||||||
# ||----w |
|
# ||----w |
|
||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 30 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
- Apply different patch from Milan Broz to fix LUKS partitions (rhbz 1115120)
|
||||||
|
|
||||||
* Tue Jul 29 2014 Kyle McMartin <kyle@fedoraproject.org>
|
* Tue Jul 29 2014 Kyle McMartin <kyle@fedoraproject.org>
|
||||||
- kernel-arm64.patch: update from upstream git.
|
- kernel-arm64.patch: update from upstream git.
|
||||||
|
|
||||||
|
@ -1,75 +0,0 @@
|
|||||||
Bugzilla: 1115120
|
|
||||||
Upstream-status: sent for 3.16
|
|
||||||
|
|
||||||
From 4da6daf4d3df5a977e4623963f141a627fd2efce Mon Sep 17 00:00:00 2001
|
|
||||||
From: Paul Moore <pmoore@redhat.com>
|
|
||||||
Date: Thu, 10 Jul 2014 10:17:48 -0400
|
|
||||||
Subject: [PATCH] selinux: fix the default socket labeling in sock_graft()
|
|
||||||
|
|
||||||
The sock_graft() hook has special handling for AF_INET, AF_INET, and
|
|
||||||
AF_UNIX sockets as those address families have special hooks which
|
|
||||||
label the sock before it is attached its associated socket.
|
|
||||||
Unfortunately, the sock_graft() hook was missing a default approach
|
|
||||||
to labeling sockets which meant that any other address family which
|
|
||||||
made use of connections or the accept() syscall would find the
|
|
||||||
returned socket to be in an "unlabeled" state. This was recently
|
|
||||||
demonstrated by the kcrypto/AF_ALG subsystem and the newly released
|
|
||||||
cryptsetup package (cryptsetup v1.6.5 and later).
|
|
||||||
|
|
||||||
This patch preserves the special handling in selinux_sock_graft(),
|
|
||||||
but adds a default behavior - setting the sock's label equal to the
|
|
||||||
associated socket - which resolves the problem with AF_ALG and
|
|
||||||
presumably any other address family which makes use of accept().
|
|
||||||
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
||||||
Tested-by: Milan Broz <gmazyland@gmail.com>
|
|
||||||
---
|
|
||||||
include/linux/security.h | 5 ++++-
|
|
||||||
security/selinux/hooks.c | 13 +++++++++++--
|
|
||||||
2 files changed, 15 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/linux/security.h b/include/linux/security.h
|
|
||||||
index 6478ce3..794be73 100644
|
|
||||||
--- a/include/linux/security.h
|
|
||||||
+++ b/include/linux/security.h
|
|
||||||
@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
|
|
||||||
* Retrieve the LSM-specific secid for the sock to enable caching of network
|
|
||||||
* authorizations.
|
|
||||||
* @sock_graft:
|
|
||||||
- * Sets the socket's isec sid to the sock's sid.
|
|
||||||
+ * This hook is called in response to a newly created sock struct being
|
|
||||||
+ * grafted onto an existing socket and allows the security module to
|
|
||||||
+ * perform whatever security attribute management is necessary for both
|
|
||||||
+ * the sock and socket.
|
|
||||||
* @inet_conn_request:
|
|
||||||
* Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
|
|
||||||
* @inet_csk_clone:
|
|
||||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
|
||||||
index 336f0a0..b3a6754 100644
|
|
||||||
--- a/security/selinux/hooks.c
|
|
||||||
+++ b/security/selinux/hooks.c
|
|
||||||
@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
|
|
||||||
struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
|
|
||||||
struct sk_security_struct *sksec = sk->sk_security;
|
|
||||||
|
|
||||||
- if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
|
|
||||||
- sk->sk_family == PF_UNIX)
|
|
||||||
+ switch (sk->sk_family) {
|
|
||||||
+ case PF_INET:
|
|
||||||
+ case PF_INET6:
|
|
||||||
+ case PF_UNIX:
|
|
||||||
isec->sid = sksec->sid;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ /* by default there is no special labeling mechanism for the
|
|
||||||
+ * sksec label so inherit the label from the parent socket */
|
|
||||||
+ BUG_ON(sksec->sid != SECINITSID_UNLABELED);
|
|
||||||
+ sksec->sid = isec->sid;
|
|
||||||
+ }
|
|
||||||
sksec->sclass = isec->sclass;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
1.9.3
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user