[3.13.y.z extended stable] Patch "Revert "selinux: fix the default socket labeling in sock_graft()"" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Mon Sep 15 22:07:45 UTC 2014


This is a note to let you know that I have just added a patch titled

    Revert "selinux: fix the default socket labeling in sock_graft()"

to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11.7.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 5a3e1e6b1ed6f682c06b7c6e514af40d36f4f184 Mon Sep 17 00:00:00 2001
From: Paul Moore <pmoore at redhat.com>
Date: Mon, 28 Jul 2014 10:42:48 -0400
Subject: Revert "selinux: fix the default socket labeling in sock_graft()"

commit 2873ead7e46694910ac49c3a8ee0f54956f96e0c upstream.

This reverts commit 4da6daf4d3df5a977e4623963f141a627fd2efce.

Unfortunately, the commit in question caused problems with Bluetooth
devices, specifically it caused them to get caught in the newly
created BUG_ON() check.  The AF_ALG problem still exists, but will be
addressed in a future patch.

Signed-off-by: Paul Moore <pmoore at redhat.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 include/linux/security.h |  5 +----
 security/selinux/hooks.c | 13 ++-----------
 2 files changed, 3 insertions(+), 15 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index e42af21..5623a7f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -987,10 +987,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	Retrieve the LSM-specific secid for the sock to enable caching of network
  *	authorizations.
  * @sock_graft:
- *	This hook is called in response to a newly created sock struct being
- *	grafted onto an existing socket and allows the security module to
- *	perform whatever security attribute management is necessary for both
- *	the sock and socket.
+ *	Sets the socket's isec sid to the sock's sid.
  * @inet_conn_request:
  *	Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
  * @inet_csk_clone:
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f66143d..019749c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4497,18 +4497,9 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
 	struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
 	struct sk_security_struct *sksec = sk->sk_security;

-	switch (sk->sk_family) {
-	case PF_INET:
-	case PF_INET6:
-	case PF_UNIX:
+	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
+	    sk->sk_family == PF_UNIX)
 		isec->sid = sksec->sid;
-		break;
-	default:
-		/* by default there is no special labeling mechanism for the
-		 * sksec label so inherit the label from the parent socket */
-		BUG_ON(sksec->sid != SECINITSID_UNLABELED);
-		sksec->sid = isec->sid;
-	}
 	sksec->sclass = isec->sclass;
 }

--
1.9.1





More information about the kernel-team mailing list