From 7d60e1ecb928c55bcebc348508606699815e00f9 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 25 Jul 2014 08:18:02 -0400 Subject: [PATCH] Fix selinux sock_graft hook for AF_ALG address family (rhbz 1115120) --- kernel.spec | 9 +++ ...daf4d3df5a977e4623963f141a627fd2efce.patch | 75 +++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch diff --git a/kernel.spec b/kernel.spec index ce514e750..8840dc8e9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -642,6 +642,9 @@ Patch25118: sched-fix-sched_setparam-policy-1-logic.patch #CVE-2014-5045 rhbz 1122472 1122482 Patch25119: fs-umount-on-symlink-leaks-mnt-count.patch +#rhbz 1115120 +Patch25120: selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1370,6 +1373,9 @@ ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch #CVE-2014-5045 rhbz 1122472 1122482 ApplyPatch fs-umount-on-symlink-leaks-mnt-count.patch +#rhbz 1115120 +ApplyPatch selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2252,6 +2258,9 @@ fi # ||----w | # || || %changelog +* Fri Jul 25 2014 Josh Boyer +- Fix selinux sock_graft hook for AF_ALG address family (rhbz 1115120) + * Thu Jul 24 2014 Kyle McMartin - kernel-arm64.patch: update from upstream git. - arm64: update config-arm64 to include PCI support. diff --git a/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch b/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch new file mode 100644 index 000000000..bf8d534fc --- /dev/null +++ b/selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch @@ -0,0 +1,75 @@ +Bugzilla: 1115120 +Upstream-status: sent for 3.16 + +From 4da6daf4d3df5a977e4623963f141a627fd2efce Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Thu, 10 Jul 2014 10:17:48 -0400 +Subject: [PATCH] selinux: fix the default socket labeling in sock_graft() + +The sock_graft() hook has special handling for AF_INET, AF_INET, and +AF_UNIX sockets as those address families have special hooks which +label the sock before it is attached its associated socket. +Unfortunately, the sock_graft() hook was missing a default approach +to labeling sockets which meant that any other address family which +made use of connections or the accept() syscall would find the +returned socket to be in an "unlabeled" state. This was recently +demonstrated by the kcrypto/AF_ALG subsystem and the newly released +cryptsetup package (cryptsetup v1.6.5 and later). + +This patch preserves the special handling in selinux_sock_graft(), +but adds a default behavior - setting the sock's label equal to the +associated socket - which resolves the problem with AF_ALG and +presumably any other address family which makes use of accept(). + +Cc: stable@vger.kernel.org +Signed-off-by: Paul Moore +Tested-by: Milan Broz +--- + include/linux/security.h | 5 ++++- + security/selinux/hooks.c | 13 +++++++++++-- + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/include/linux/security.h b/include/linux/security.h +index 6478ce3..794be73 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) + * Retrieve the LSM-specific secid for the sock to enable caching of network + * authorizations. + * @sock_graft: +- * Sets the socket's isec sid to the sock's sid. ++ * This hook is called in response to a newly created sock struct being ++ * grafted onto an existing socket and allows the security module to ++ * perform whatever security attribute management is necessary for both ++ * the sock and socket. + * @inet_conn_request: + * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid. + * @inet_csk_clone: +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 336f0a0..b3a6754 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent) + struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; + struct sk_security_struct *sksec = sk->sk_security; + +- if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || +- sk->sk_family == PF_UNIX) ++ switch (sk->sk_family) { ++ case PF_INET: ++ case PF_INET6: ++ case PF_UNIX: + isec->sid = sksec->sid; ++ break; ++ default: ++ /* by default there is no special labeling mechanism for the ++ * sksec label so inherit the label from the parent socket */ ++ BUG_ON(sksec->sid != SECINITSID_UNLABELED); ++ sksec->sid = isec->sid; ++ } + sksec->sclass = isec->sclass; + } + +-- +1.9.3 +