Apply different patch from Milan Broz to fix LUKS partitions (rhbz 1115120)

2014-07-30 11:21:58 -04:00 · 2014-07-30 11:21:58 -04:00 · 74a17995ec
commit 74a17995ec
parent b8a1bd4593
3 changed files with 49 additions and 77 deletions
--- a/crypto-properly-label-AF_ALG-socket.patch
+++ b/crypto-properly-label-AF_ALG-socket.patch
@ -0,0 +1,44 @@
+Th AF_ALG socket was missing a security label (e.g. SELinux)
+which means that socket was in "unlabeled" state.
+
+This was recently demonstrated in the cryptsetup package
+(cryptsetup v1.6.5 and later.)
+See https://bugzilla.redhat.com/show_bug.cgi?id=1115120
+
+This patch clones the sock's label from the parent sock
+and resolves the issue (similar to AF_BLUETOOTH protocol family).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Milan Broz <gmazyland@gmail.com>
+---
+ crypto/af_alg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index 966f893..6a3ad80 100644
+--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
+@@ -21,6 +21,7 @@
+ #include <linux/module.h>
+ #include <linux/net.h>
+ #include <linux/rwsem.h>
+#include <linux/security.h>
+ 
+ struct alg_type_list {
+ 	const struct af_alg_type *type;
+@@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock)
+ 
+ 	sock_init_data(newsock, sk2);
+ 	sock_graft(sk2, newsock);
+	security_sk_clone(sk, sk2);
+ 
+ 	err = type->accept(ask->private, sk2);
+ 	if (err) {
+-- 
+2.0.1
+
+_______________________________________________
+Selinux mailing list
+Selinux@tycho.nsa.gov
+To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
+To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--- a/kernel.spec
+++ b/kernel.spec
@ -644,7 +644,7 @@ Patch25110: 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
 Patch25118: sched-fix-sched_setparam-policy-1-logic.patch

 #rhbz 1115120
-Patch25120: selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
+Patch25120: crypto-properly-label-AF_ALG-socket.patch

 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
@ -1378,7 +1378,7 @@ ApplyPatch 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
 ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch

 #rhbz 1115120
-ApplyPatch selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
+ApplyPatch crypto-properly-label-AF_ALG-socket.patch

 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
@ -2265,6 +2265,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Wed Jul 30 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- Apply different patch from Milan Broz to fix LUKS partitions (rhbz 1115120)
+
 * Tue Jul 29 2014 Kyle McMartin <kyle@fedoraproject.org>
 - kernel-arm64.patch: update from upstream git.

--- a/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
+++ b/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
@ -1,75 +0,0 @@
-Bugzilla: 1115120
-Upstream-status: sent for 3.16
-
-From 4da6daf4d3df5a977e4623963f141a627fd2efce Mon Sep 17 00:00:00 2001
-From: Paul Moore <pmoore@redhat.com>
-Date: Thu, 10 Jul 2014 10:17:48 -0400
-Subject: [PATCH] selinux: fix the default socket labeling in sock_graft()
-
-The sock_graft() hook has special handling for AF_INET, AF_INET, and
-AF_UNIX sockets as those address families have special hooks which
-label the sock before it is attached its associated socket.
-Unfortunately, the sock_graft() hook was missing a default approach
-to labeling sockets which meant that any other address family which
-made use of connections or the accept() syscall would find the
-returned socket to be in an "unlabeled" state.  This was recently
-demonstrated by the kcrypto/AF_ALG subsystem and the newly released
-cryptsetup package (cryptsetup v1.6.5 and later).
-
-This patch preserves the special handling in selinux_sock_graft(),
-but adds a default behavior - setting the sock's label equal to the
-associated socket - which resolves the problem with AF_ALG and
-presumably any other address family which makes use of accept().
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Paul Moore <pmoore@redhat.com>
-Tested-by: Milan Broz <gmazyland@gmail.com>
---
- include/linux/security.h |  5 ++++-
- security/selinux/hooks.c | 13 +++++++++++--
- 2 files changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 6478ce3..794be73 100644
--- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
-  *	Retrieve the LSM-specific secid for the sock to enable caching of network
-  *	authorizations.
-  * @sock_graft:
- *	Sets the socket's isec sid to the sock's sid.
-+ *	This hook is called in response to a newly created sock struct being
-+ *	grafted onto an existing socket and allows the security module to
-+ *	perform whatever security attribute management is necessary for both
-+ *	the sock and socket.
-  * @inet_conn_request:
-  *	Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
-  * @inet_csk_clone:
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 336f0a0..b3a6754 100644
--- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
- 	struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
- 	struct sk_security_struct *sksec = sk->sk_security;
- 
-	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
-	    sk->sk_family == PF_UNIX)
-+	switch (sk->sk_family) {
-+	case PF_INET:
-+	case PF_INET6:
-+	case PF_UNIX:
- 		isec->sid = sksec->sid;
-+		break;
-+	default:
-+		/* by default there is no special labeling mechanism for the
-+		 * sksec label so inherit the label from the parent socket */
-+		BUG_ON(sksec->sid != SECINITSID_UNLABELED);
-+		sksec->sid = isec->sid;
-+	}
- 	sksec->sclass = isec->sclass;
- }
- 
-- 
-1.9.3
-