diff mbox

[net] sctp: label accepted/peeled off sockets

Message ID 339eee4a8d20118f871fda8a8b38591a60bea59b.1450895942.git.marcelo.leitner@gmail.com
State Accepted, archived
Delegated to: David Miller
Headers show

Commit Message

Marcelo Leitner Dec. 23, 2015, 6:44 p.m. UTC 
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

Accepted or peeled off sockets were missing a security label (e.g.
SELinux) which means that socket was in "unlabeled" state.

This patch clones the sock's label from the parent sock and resolves the
issue (similar to AF_BLUETOOTH protocol family).

Cc: Paul Moore <pmoore@redhat.com>
Cc: David Teigland <teigland@redhat.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
---
 net/sctp/socket.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Paul Moore Dec. 23, 2015, 8:05 p.m. UTC | #1 
On Wednesday, December 23, 2015 04:44:09 PM Marcelo Ricardo Leitner wrote:
> From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> 
> Accepted or peeled off sockets were missing a security label (e.g.
> SELinux) which means that socket was in "unlabeled" state.
> 
> This patch clones the sock's label from the parent sock and resolves the
> issue (similar to AF_BLUETOOTH protocol family).
> 
> Cc: Paul Moore <pmoore@redhat.com>
> Cc: David Teigland <teigland@redhat.com>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> ---
>  net/sctp/socket.c | 2 ++
>  1 file changed, 2 insertions(+)

[NOTE: added the LSM and SELinux lists to the CC line as a FYI]

Proper SCTP support is on the SELinux todo list, but in the meantime it looks 
like the patch below should at least ensure that SCTP sockets inherit their 
parent's label which is probably the best we can hope for right now.

Acked-by: Paul Moore <paul@paul-moore.com>

> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index
> 400a14d744834c7a503b338bc68f5f8b5b5dae8e..b67162767b7957b3e9f4f7bf52ab51fc1
> a3499c8 100644 --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -7202,6 +7202,8 @@ void sctp_copy_sock(struct sock *newsk, struct sock
> *sk,
> 
>  	if (newsk->sk_flags & SK_FLAGS_TIMESTAMP)
>  		net_enable_timestamp();
> +
> +	security_sk_clone(sk, newsk);
>  }
> 
>  static inline void sctp_copy_descendant(struct sock *sk_to,
David Miller Dec. 28, 2015, 5:15 a.m. UTC | #2 
From: Marcelo Ricardo Leitner <mleitner@redhat.com>
Date: Wed, 23 Dec 2015 16:44:09 -0200

> From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> 
> Accepted or peeled off sockets were missing a security label (e.g.
> SELinux) which means that socket was in "unlabeled" state.
> 
> This patch clones the sock's label from the parent sock and resolves the
> issue (similar to AF_BLUETOOTH protocol family).
> 
> Cc: Paul Moore <pmoore@redhat.com>
> Cc: David Teigland <teigland@redhat.com>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 400a14d744834c7a503b338bc68f5f8b5b5dae8e..b67162767b7957b3e9f4f7bf52ab51fc1a3499c8 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -7202,6 +7202,8 @@  void sctp_copy_sock(struct sock *newsk, struct sock *sk,
 
 	if (newsk->sk_flags & SK_FLAGS_TIMESTAMP)
 		net_enable_timestamp();
+
+	security_sk_clone(sk, newsk);
 }
 
 static inline void sctp_copy_descendant(struct sock *sk_to,