From 74a17995ecd302938e44188a32b59abbe4cd0084 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 30 Jul 2014 11:21:58 -0400 Subject: [PATCH] Apply different patch from Milan Broz to fix LUKS partitions (rhbz 1115120) --- crypto-properly-label-AF_ALG-socket.patch | 44 +++++++++++ kernel.spec | 7 +- ...daf4d3df5a977e4623963f141a627fd2efce.patch | 75 ------------------- 3 files changed, 49 insertions(+), 77 deletions(-) create mode 100644 crypto-properly-label-AF_ALG-socket.patch delete mode 100644 selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch diff --git a/crypto-properly-label-AF_ALG-socket.patch b/crypto-properly-label-AF_ALG-socket.patch new file mode 100644 index 000000000..b42186bde --- /dev/null +++ b/crypto-properly-label-AF_ALG-socket.patch @@ -0,0 +1,44 @@ +Th AF_ALG socket was missing a security label (e.g. SELinux) +which means that socket was in "unlabeled" state. + +This was recently demonstrated in the cryptsetup package +(cryptsetup v1.6.5 and later.) +See https://bugzilla.redhat.com/show_bug.cgi?id=1115120 + +This patch clones the sock's label from the parent sock +and resolves the issue (similar to AF_BLUETOOTH protocol family). + +Cc: stable@vger.kernel.org +Signed-off-by: Milan Broz +--- + crypto/af_alg.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 966f893..6a3ad80 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + struct alg_type_list { + const struct af_alg_type *type; +@@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock) + + sock_init_data(newsock, sk2); + sock_graft(sk2, newsock); ++ security_sk_clone(sk, sk2); + + err = type->accept(ask->private, sk2); + if (err) { +-- +2.0.1 + +_______________________________________________ +Selinux mailing list +Selinux@tycho.nsa.gov +To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. +To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index 91f243bc7..960e0bc18 100644 --- a/kernel.spec +++ b/kernel.spec @@ -644,7 +644,7 @@ Patch25110: 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch Patch25118: sched-fix-sched_setparam-policy-1-logic.patch #rhbz 1115120 -Patch25120: selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch +Patch25120: crypto-properly-label-AF_ALG-socket.patch # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1378,7 +1378,7 @@ ApplyPatch 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch #rhbz 1115120 -ApplyPatch selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch +ApplyPatch crypto-properly-label-AF_ALG-socket.patch %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch @@ -2265,6 +2265,9 @@ fi # ||----w | # || || %changelog +* Wed Jul 30 2014 Josh Boyer +- Apply different patch from Milan Broz to fix LUKS partitions (rhbz 1115120) + * Tue Jul 29 2014 Kyle McMartin - kernel-arm64.patch: update from upstream git. diff --git a/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch b/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch deleted file mode 100644 index bf8d534fc..000000000 --- a/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch +++ /dev/null @@ -1,75 +0,0 @@ -Bugzilla: 1115120 -Upstream-status: sent for 3.16 - -From 4da6daf4d3df5a977e4623963f141a627fd2efce Mon Sep 17 00:00:00 2001 -From: Paul Moore -Date: Thu, 10 Jul 2014 10:17:48 -0400 -Subject: [PATCH] selinux: fix the default socket labeling in sock_graft() - -The sock_graft() hook has special handling for AF_INET, AF_INET, and -AF_UNIX sockets as those address families have special hooks which -label the sock before it is attached its associated socket. -Unfortunately, the sock_graft() hook was missing a default approach -to labeling sockets which meant that any other address family which -made use of connections or the accept() syscall would find the -returned socket to be in an "unlabeled" state. This was recently -demonstrated by the kcrypto/AF_ALG subsystem and the newly released -cryptsetup package (cryptsetup v1.6.5 and later). - -This patch preserves the special handling in selinux_sock_graft(), -but adds a default behavior - setting the sock's label equal to the -associated socket - which resolves the problem with AF_ALG and -presumably any other address family which makes use of accept(). - -Cc: stable@vger.kernel.org -Signed-off-by: Paul Moore -Tested-by: Milan Broz ---- - include/linux/security.h | 5 ++++- - security/selinux/hooks.c | 13 +++++++++++-- - 2 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/include/linux/security.h b/include/linux/security.h -index 6478ce3..794be73 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) - * Retrieve the LSM-specific secid for the sock to enable caching of network - * authorizations. - * @sock_graft: -- * Sets the socket's isec sid to the sock's sid. -+ * This hook is called in response to a newly created sock struct being -+ * grafted onto an existing socket and allows the security module to -+ * perform whatever security attribute management is necessary for both -+ * the sock and socket. - * @inet_conn_request: - * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid. - * @inet_csk_clone: -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 336f0a0..b3a6754 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent) - struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; - struct sk_security_struct *sksec = sk->sk_security; - -- if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || -- sk->sk_family == PF_UNIX) -+ switch (sk->sk_family) { -+ case PF_INET: -+ case PF_INET6: -+ case PF_UNIX: - isec->sid = sksec->sid; -+ break; -+ default: -+ /* by default there is no special labeling mechanism for the -+ * sksec label so inherit the label from the parent socket */ -+ BUG_ON(sksec->sid != SECINITSID_UNLABELED); -+ sksec->sid = isec->sid; -+ } - sksec->sclass = isec->sclass; - } - --- -1.9.3 -