Apply different patch from Milan Broz to fix LUKS partitions (rhbz 1115120)

This commit is contained in:
Josh Boyer 2014-07-30 11:21:58 -04:00
parent b8a1bd4593
commit 74a17995ec
3 changed files with 49 additions and 77 deletions

View File

@ -0,0 +1,44 @@
Th AF_ALG socket was missing a security label (e.g. SELinux)
which means that socket was in "unlabeled" state.
This was recently demonstrated in the cryptsetup package
(cryptsetup v1.6.5 and later.)
See https://bugzilla.redhat.com/show_bug.cgi?id=1115120
This patch clones the sock's label from the parent sock
and resolves the issue (similar to AF_BLUETOOTH protocol family).
Cc: stable@vger.kernel.org
Signed-off-by: Milan Broz <gmazyland@gmail.com>
---
crypto/af_alg.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 966f893..6a3ad80 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -21,6 +21,7 @@
#include <linux/module.h>
#include <linux/net.h>
#include <linux/rwsem.h>
+#include <linux/security.h>
struct alg_type_list {
const struct af_alg_type *type;
@@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock)
sock_init_data(newsock, sk2);
sock_graft(sk2, newsock);
+ security_sk_clone(sk, sk2);
err = type->accept(ask->private, sk2);
if (err) {
--
2.0.1
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

View File

@ -644,7 +644,7 @@ Patch25110: 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
Patch25118: sched-fix-sched_setparam-policy-1-logic.patch Patch25118: sched-fix-sched_setparam-policy-1-logic.patch
#rhbz 1115120 #rhbz 1115120
Patch25120: selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch Patch25120: crypto-properly-label-AF_ALG-socket.patch
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
Patch30000: kernel-arm64.patch Patch30000: kernel-arm64.patch
@ -1378,7 +1378,7 @@ ApplyPatch 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch
#rhbz 1115120 #rhbz 1115120
ApplyPatch selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch ApplyPatch crypto-properly-label-AF_ALG-socket.patch
%if 0%{?aarch64patches} %if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch ApplyPatch kernel-arm64.patch
@ -2265,6 +2265,9 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Wed Jul 30 2014 Josh Boyer <jwboyer@fedoraproject.org>
- Apply different patch from Milan Broz to fix LUKS partitions (rhbz 1115120)
* Tue Jul 29 2014 Kyle McMartin <kyle@fedoraproject.org> * Tue Jul 29 2014 Kyle McMartin <kyle@fedoraproject.org>
- kernel-arm64.patch: update from upstream git. - kernel-arm64.patch: update from upstream git.

View File

@ -1,75 +0,0 @@
Bugzilla: 1115120
Upstream-status: sent for 3.16
From 4da6daf4d3df5a977e4623963f141a627fd2efce Mon Sep 17 00:00:00 2001
From: Paul Moore <pmoore@redhat.com>
Date: Thu, 10 Jul 2014 10:17:48 -0400
Subject: [PATCH] selinux: fix the default socket labeling in sock_graft()
The sock_graft() hook has special handling for AF_INET, AF_INET, and
AF_UNIX sockets as those address families have special hooks which
label the sock before it is attached its associated socket.
Unfortunately, the sock_graft() hook was missing a default approach
to labeling sockets which meant that any other address family which
made use of connections or the accept() syscall would find the
returned socket to be in an "unlabeled" state. This was recently
demonstrated by the kcrypto/AF_ALG subsystem and the newly released
cryptsetup package (cryptsetup v1.6.5 and later).
This patch preserves the special handling in selinux_sock_graft(),
but adds a default behavior - setting the sock's label equal to the
associated socket - which resolves the problem with AF_ALG and
presumably any other address family which makes use of accept().
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore <pmoore@redhat.com>
Tested-by: Milan Broz <gmazyland@gmail.com>
---
include/linux/security.h | 5 ++++-
security/selinux/hooks.c | 13 +++++++++++--
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 6478ce3..794be73 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* Retrieve the LSM-specific secid for the sock to enable caching of network
* authorizations.
* @sock_graft:
- * Sets the socket's isec sid to the sock's sid.
+ * This hook is called in response to a newly created sock struct being
+ * grafted onto an existing socket and allows the security module to
+ * perform whatever security attribute management is necessary for both
+ * the sock and socket.
* @inet_conn_request:
* Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
* @inet_csk_clone:
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 336f0a0..b3a6754 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
struct sk_security_struct *sksec = sk->sk_security;
- if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
- sk->sk_family == PF_UNIX)
+ switch (sk->sk_family) {
+ case PF_INET:
+ case PF_INET6:
+ case PF_UNIX:
isec->sid = sksec->sid;
+ break;
+ default:
+ /* by default there is no special labeling mechanism for the
+ * sksec label so inherit the label from the parent socket */
+ BUG_ON(sksec->sid != SECINITSID_UNLABELED);
+ sksec->sid = isec->sid;
+ }
sksec->sclass = isec->sclass;
}
--
1.9.3