aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCatherine Zhang <cxzhang@watson.ibm.com>2006-06-29 15:27:47 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-06-29 19:58:06 -0400
commit877ce7c1b3afd69a9b1caeb1b9964c992641f52a (patch)
tree740c6c0d4a2858af53c09c4635cadf06833536c1
parentd6b4991ad5d1a9840e12db507be1a6593def01fe (diff)
[AF_UNIX]: Datagram getpeersec
This patch implements an API whereby an application can determine the label of its peer's Unix datagram sockets via the auxiliary data mechanism of recvmsg. Patch purpose: This patch enables a security-aware application to retrieve the security context of the peer of a Unix datagram socket. The application can then use this security context to determine the security context for processing on behalf of the peer who sent the packet. Patch design and implementation: The design and implementation is very similar to the UDP case for INET sockets. Basically we build upon the existing Unix domain socket API for retrieving user credentials. Linux offers the API for obtaining user credentials via ancillary messages (i.e., out of band/control messages that are bundled together with a normal message). To retrieve the security context, the application first indicates to the kernel such desire by setting the SO_PASSSEC option via getsockopt. Then the application retrieves the security context using the auxiliary data mechanism. An example server application for Unix datagram socket should look like this: toggle = 1; toggle_len = sizeof(toggle); setsockopt(sockfd, SOL_SOCKET, SO_PASSSEC, &toggle, &toggle_len); recvmsg(sockfd, &msg_hdr, 0); if (msg_hdr.msg_controllen > sizeof(struct cmsghdr)) { cmsg_hdr = CMSG_FIRSTHDR(&msg_hdr); if (cmsg_hdr->cmsg_len <= CMSG_LEN(sizeof(scontext)) && cmsg_hdr->cmsg_level == SOL_SOCKET && cmsg_hdr->cmsg_type == SCM_SECURITY) { memcpy(&scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext)); } } sock_setsockopt is enhanced with a new socket option SOCK_PASSSEC to allow a server socket to receive security context of the peer. Testing: We have tested the patch by setting up Unix datagram client and server applications. We verified that the server can retrieve the security context using the auxiliary data mechanism of recvmsg. Signed-off-by: Catherine Zhang <cxzhang@watson.ibm.com> Acked-by: Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/asm-alpha/socket.h1
-rw-r--r--include/asm-arm/socket.h1
-rw-r--r--include/asm-arm26/socket.h1
-rw-r--r--include/asm-cris/socket.h1
-rw-r--r--include/asm-frv/socket.h1
-rw-r--r--include/asm-h8300/socket.h1
-rw-r--r--include/asm-i386/socket.h1
-rw-r--r--include/asm-ia64/socket.h1
-rw-r--r--include/asm-m32r/socket.h1
-rw-r--r--include/asm-m68k/socket.h1
-rw-r--r--include/asm-mips/socket.h1
-rw-r--r--include/asm-parisc/socket.h1
-rw-r--r--include/asm-powerpc/socket.h1
-rw-r--r--include/asm-s390/socket.h1
-rw-r--r--include/asm-sh/socket.h1
-rw-r--r--include/asm-sparc/socket.h1
-rw-r--r--include/asm-sparc64/socket.h1
-rw-r--r--include/asm-v850/socket.h1
-rw-r--r--include/asm-x86_64/socket.h1
-rw-r--r--include/asm-xtensa/socket.h1
-rw-r--r--include/linux/net.h1
-rw-r--r--include/net/af_unix.h6
-rw-r--r--include/net/scm.h17
-rw-r--r--net/core/sock.c11
-rw-r--r--net/unix/af_unix.c27
-rw-r--r--security/selinux/hooks.c11
26 files changed, 90 insertions, 3 deletions
diff --git a/include/asm-alpha/socket.h b/include/asm-alpha/socket.h
index b5193229132a..d22ab97ea72e 100644
--- a/include/asm-alpha/socket.h
+++ b/include/asm-alpha/socket.h
@@ -51,6 +51,7 @@
51#define SCM_TIMESTAMP SO_TIMESTAMP 51#define SCM_TIMESTAMP SO_TIMESTAMP
52 52
53#define SO_PEERSEC 30 53#define SO_PEERSEC 30
54#define SO_PASSSEC 34
54 55
55/* Security levels - as per NRL IPv6 - don't actually do anything */ 56/* Security levels - as per NRL IPv6 - don't actually do anything */
56#define SO_SECURITY_AUTHENTICATION 19 57#define SO_SECURITY_AUTHENTICATION 19
diff --git a/include/asm-arm/socket.h b/include/asm-arm/socket.h
index 3c51da6438c9..19f7df702b06 100644
--- a/include/asm-arm/socket.h
+++ b/include/asm-arm/socket.h
@@ -48,5 +48,6 @@
48#define SO_ACCEPTCONN 30 48#define SO_ACCEPTCONN 30
49 49
50#define SO_PEERSEC 31 50#define SO_PEERSEC 31
51#define SO_PASSSEC 34
51 52
52#endif /* _ASM_SOCKET_H */ 53#endif /* _ASM_SOCKET_H */
diff --git a/include/asm-arm26/socket.h b/include/asm-arm26/socket.h
index 3c51da6438c9..19f7df702b06 100644
--- a/include/asm-arm26/socket.h
+++ b/include/asm-arm26/socket.h
@@ -48,5 +48,6 @@
48#define SO_ACCEPTCONN 30 48#define SO_ACCEPTCONN 30
49 49
50#define SO_PEERSEC 31 50#define SO_PEERSEC 31
51#define SO_PASSSEC 34
51 52
52#endif /* _ASM_SOCKET_H */ 53#endif /* _ASM_SOCKET_H */
diff --git a/include/asm-cris/socket.h b/include/asm-cris/socket.h
index 8b1da3e58c55..01cfdf1d6d33 100644
--- a/include/asm-cris/socket.h
+++ b/include/asm-cris/socket.h
@@ -50,6 +50,7 @@
50#define SO_ACCEPTCONN 30 50#define SO_ACCEPTCONN 30
51 51
52#define SO_PEERSEC 31 52#define SO_PEERSEC 31
53#define SO_PASSSEC 34
53 54
54#endif /* _ASM_SOCKET_H */ 55#endif /* _ASM_SOCKET_H */
55 56
diff --git a/include/asm-frv/socket.h b/include/asm-frv/socket.h
index 7177f8b9817c..31db18fc871f 100644
--- a/include/asm-frv/socket.h
+++ b/include/asm-frv/socket.h
@@ -48,6 +48,7 @@
48#define SO_ACCEPTCONN 30 48#define SO_ACCEPTCONN 30
49 49
50#define SO_PEERSEC 31 50#define SO_PEERSEC 31
51#define SO_PASSSEC 34
51 52
52#endif /* _ASM_SOCKET_H */ 53#endif /* _ASM_SOCKET_H */
53 54
diff --git a/include/asm-h8300/socket.h b/include/asm-h8300/socket.h
index d98cf85bafc1..ebc830fee0d0 100644
--- a/include/asm-h8300/socket.h
+++ b/include/asm-h8300/socket.h
@@ -48,5 +48,6 @@
48#define SO_ACCEPTCONN 30 48#define SO_ACCEPTCONN 30
49 49
50#define SO_PEERSEC 31 50#define SO_PEERSEC 31
51#define SO_PASSSEC 34
51 52
52#endif /* _ASM_SOCKET_H */ 53#endif /* _ASM_SOCKET_H */
diff --git a/include/asm-i386/socket.h b/include/asm-i386/socket.h
index 802ae76195b7..5755d57c4e95 100644
--- a/include/asm-i386/socket.h
+++ b/include/asm-i386/socket.h
@@ -48,5 +48,6 @@
48#define SO_ACCEPTCONN 30 48#define SO_ACCEPTCONN 30
49 49
50#define SO_PEERSEC 31 50#define SO_PEERSEC 31
51#define SO_PASSSEC 34
51 52
52#endif /* _ASM_SOCKET_H */ 53#endif /* _ASM_SOCKET_H */
diff --git a/include/asm-ia64/socket.h b/include/asm-ia64/socket.h
index a255006fb7b5..d638ef3d50c3 100644
--- a/include/asm-ia64/socket.h
+++ b/include/asm-ia64/socket.h
@@ -57,5 +57,6 @@
57#define SO_ACCEPTCONN 30 57#define SO_ACCEPTCONN 30
58 58
59#define SO_PEERSEC 31 59#define SO_PEERSEC 31
60#define SO_PASSSEC 34
60 61
61#endif /* _ASM_IA64_SOCKET_H */ 62#endif /* _ASM_IA64_SOCKET_H */
diff --git a/include/asm-m32r/socket.h b/include/asm-m32r/socket.h
index 8b6680f223c0..acdf748fcdc8 100644
--- a/include/asm-m32r/socket.h
+++ b/include/asm-m32r/socket.h
@@ -48,5 +48,6 @@
48#define SO_ACCEPTCONN 30 48#define SO_ACCEPTCONN 30
49 49
50#define SO_PEERSEC 31 50#define SO_PEERSEC 31
51#define SO_PASSSEC 34
51 52
52#endif /* _ASM_M32R_SOCKET_H */ 53#endif /* _ASM_M32R_SOCKET_H */
diff --git a/include/asm-m68k/socket.h b/include/asm-m68k/socket.h
index f578ca4b776a..a5966ec005ae 100644
--- a/include/asm-m68k/socket.h
+++ b/include/asm-m68k/socket.h
@@ -48,5 +48,6 @@
48#define SO_ACCEPTCONN 30 48#define SO_ACCEPTCONN 30
49 49
50#define SO_PEERSEC 31 50#define SO_PEERSEC 31
51#define SO_PASSSEC 34
51 52
52#endif /* _ASM_SOCKET_H */ 53#endif /* _ASM_SOCKET_H */
diff --git a/include/asm-mips/socket.h b/include/asm-mips/socket.h
index 0bb31e5aaca6..36ebe4e186a7 100644
--- a/include/asm-mips/socket.h
+++ b/include/asm-mips/socket.h
@@ -69,6 +69,7 @@ To add: #define SO_REUSEPORT 0x0200 /* Allow local address and port reuse. */
69#define SO_PEERSEC 30 69#define SO_PEERSEC 30
70#define SO_SNDBUFFORCE 31 70#define SO_SNDBUFFORCE 31
71#define SO_RCVBUFFORCE 33 71#define SO_RCVBUFFORCE 33
72#define SO_PASSSEC 34
72 73
73#ifdef __KERNEL__ 74#ifdef __KERNEL__
74 75
diff --git a/include/asm-parisc/socket.h b/include/asm-parisc/socket.h
index 1bf54dc53c10..ce2eae1708b5 100644
--- a/include/asm-parisc/socket.h
+++ b/include/asm-parisc/socket.h
@@ -48,5 +48,6 @@
48#define SO_ACCEPTCONN 0x401c 48#define SO_ACCEPTCONN 0x401c
49 49
50#define SO_PEERSEC 0x401d 50#define SO_PEERSEC 0x401d
51#define SO_PASSSEC 0x401e
51 52
52#endif /* _ASM_SOCKET_H */ 53#endif /* _ASM_SOCKET_H */
diff --git a/include/asm-powerpc/socket.h b/include/asm-powerpc/socket.h
index e4b8177d4acc..c8b1da50e72d 100644
--- a/include/asm-powerpc/socket.h
+++ b/include/asm-powerpc/socket.h
@@ -55,5 +55,6 @@
55#define SO_ACCEPTCONN 30 55#define SO_ACCEPTCONN 30
56 56
57#define SO_PEERSEC 31 57#define SO_PEERSEC 31
58#define SO_PASSSEC 34
58 59
59#endif /* _ASM_POWERPC_SOCKET_H */ 60#endif /* _ASM_POWERPC_SOCKET_H */
diff --git a/include/asm-s390/socket.h b/include/asm-s390/socket.h
index 15a5298c8744..1778a49a74c5 100644
--- a/include/asm-s390/socket.h
+++ b/include/asm-s390/socket.h
@@ -56,5 +56,6 @@
56#define SO_ACCEPTCONN 30 56#define SO_ACCEPTCONN 30
57 57
58#define SO_PEERSEC 31 58#define SO_PEERSEC 31
59#define SO_PASSSEC 34
59 60
60#endif /* _ASM_SOCKET_H */ 61#endif /* _ASM_SOCKET_H */
diff --git a/include/asm-sh/socket.h b/include/asm-sh/socket.h
index 553904ff9336..ca70362eb563 100644
--- a/include/asm-sh/socket.h
+++ b/include/asm-sh/socket.h
@@ -48,5 +48,6 @@
48#define SO_ACCEPTCONN 30 48#define SO_ACCEPTCONN 30
49 49
50#define SO_PEERSEC 31 50#define SO_PEERSEC 31
51#define SO_PASSSEC 34
51 52
52#endif /* __ASM_SH_SOCKET_H */ 53#endif /* __ASM_SH_SOCKET_H */
diff --git a/include/asm-sparc/socket.h b/include/asm-sparc/socket.h
index 4e0ce3a35ea9..f6c4e5baf3f7 100644
--- a/include/asm-sparc/socket.h
+++ b/include/asm-sparc/socket.h
@@ -48,6 +48,7 @@
48#define SCM_TIMESTAMP SO_TIMESTAMP 48#define SCM_TIMESTAMP SO_TIMESTAMP
49 49
50#define SO_PEERSEC 0x001e 50#define SO_PEERSEC 0x001e
51#define SO_PASSSEC 0x001f
51 52
52/* Security levels - as per NRL IPv6 - don't actually do anything */ 53/* Security levels - as per NRL IPv6 - don't actually do anything */
53#define SO_SECURITY_AUTHENTICATION 0x5001 54#define SO_SECURITY_AUTHENTICATION 0x5001
diff --git a/include/asm-sparc64/socket.h b/include/asm-sparc64/socket.h
index 59987dad3359..754d46a50af3 100644
--- a/include/asm-sparc64/socket.h
+++ b/include/asm-sparc64/socket.h
@@ -48,6 +48,7 @@
48#define SCM_TIMESTAMP SO_TIMESTAMP 48#define SCM_TIMESTAMP SO_TIMESTAMP
49 49
50#define SO_PEERSEC 0x001e 50#define SO_PEERSEC 0x001e
51#define SO_PASSSEC 0x001f
51 52
52/* Security levels - as per NRL IPv6 - don't actually do anything */ 53/* Security levels - as per NRL IPv6 - don't actually do anything */
53#define SO_SECURITY_AUTHENTICATION 0x5001 54#define SO_SECURITY_AUTHENTICATION 0x5001
diff --git a/include/asm-v850/socket.h b/include/asm-v850/socket.h
index 0240d366a0a4..0dfe55ac2ef2 100644
--- a/include/asm-v850/socket.h
+++ b/include/asm-v850/socket.h
@@ -48,5 +48,6 @@
48#define SO_ACCEPTCONN 30 48#define SO_ACCEPTCONN 30
49 49
50#define SO_PEERSEC 31 50#define SO_PEERSEC 31
51#define SO_PASSSEC 34
51 52
52#endif /* __V850_SOCKET_H__ */ 53#endif /* __V850_SOCKET_H__ */
diff --git a/include/asm-x86_64/socket.h b/include/asm-x86_64/socket.h
index f2cdbeae5d5b..b46702607933 100644
--- a/include/asm-x86_64/socket.h
+++ b/include/asm-x86_64/socket.h
@@ -48,5 +48,6 @@
48#define SO_ACCEPTCONN 30 48#define SO_ACCEPTCONN 30
49 49
50#define SO_PEERSEC 31 50#define SO_PEERSEC 31
51#define SO_PASSSEC 34
51 52
52#endif /* _ASM_SOCKET_H */ 53#endif /* _ASM_SOCKET_H */
diff --git a/include/asm-xtensa/socket.h b/include/asm-xtensa/socket.h
index 00f83f3a6d72..971d231be60e 100644
--- a/include/asm-xtensa/socket.h
+++ b/include/asm-xtensa/socket.h
@@ -59,5 +59,6 @@
59 59
60#define SO_ACCEPTCONN 30 60#define SO_ACCEPTCONN 30
61#define SO_PEERSEC 31 61#define SO_PEERSEC 31
62#define SO_PASSSEC 34
62 63
63#endif /* _XTENSA_SOCKET_H */ 64#endif /* _XTENSA_SOCKET_H */
diff --git a/include/linux/net.h b/include/linux/net.h
index 385e68f5bd93..b20c53c74413 100644
--- a/include/linux/net.h
+++ b/include/linux/net.h
@@ -61,6 +61,7 @@ typedef enum {
61#define SOCK_ASYNC_WAITDATA 1 61#define SOCK_ASYNC_WAITDATA 1
62#define SOCK_NOSPACE 2 62#define SOCK_NOSPACE 2
63#define SOCK_PASSCRED 3 63#define SOCK_PASSCRED 3
64#define SOCK_PASSSEC 4
64 65
65#ifndef ARCH_HAS_SOCKET_TYPES 66#ifndef ARCH_HAS_SOCKET_TYPES
66/** 67/**
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index 795f81f9ec7f..5ba72d95280c 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -53,10 +53,16 @@ struct unix_address {
53struct unix_skb_parms { 53struct unix_skb_parms {
54 struct ucred creds; /* Skb credentials */ 54 struct ucred creds; /* Skb credentials */
55 struct scm_fp_list *fp; /* Passed files */ 55 struct scm_fp_list *fp; /* Passed files */
56#ifdef CONFIG_SECURITY_NETWORK
57 char *secdata; /* Security context */
58 u32 seclen; /* Security length */
59#endif
56}; 60};
57 61
58#define UNIXCB(skb) (*(struct unix_skb_parms*)&((skb)->cb)) 62#define UNIXCB(skb) (*(struct unix_skb_parms*)&((skb)->cb))
59#define UNIXCREDS(skb) (&UNIXCB((skb)).creds) 63#define UNIXCREDS(skb) (&UNIXCB((skb)).creds)
64#define UNIXSECDATA(skb) (&UNIXCB((skb)).secdata)
65#define UNIXSECLEN(skb) (&UNIXCB((skb)).seclen)
60 66
61#define unix_state_rlock(s) spin_lock(&unix_sk(s)->lock) 67#define unix_state_rlock(s) spin_lock(&unix_sk(s)->lock)
62#define unix_state_runlock(s) spin_unlock(&unix_sk(s)->lock) 68#define unix_state_runlock(s) spin_unlock(&unix_sk(s)->lock)
diff --git a/include/net/scm.h b/include/net/scm.h
index 540619cb7160..02daa097cdcd 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -19,6 +19,10 @@ struct scm_cookie
19{ 19{
20 struct ucred creds; /* Skb credentials */ 20 struct ucred creds; /* Skb credentials */
21 struct scm_fp_list *fp; /* Passed files */ 21 struct scm_fp_list *fp; /* Passed files */
22#ifdef CONFIG_SECURITY_NETWORK
23 char *secdata; /* Security context */
24 u32 seclen; /* Security length */
25#endif
22 unsigned long seq; /* Connection seqno */ 26 unsigned long seq; /* Connection seqno */
23}; 27};
24 28
@@ -48,6 +52,17 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
48 return __scm_send(sock, msg, scm); 52 return __scm_send(sock, msg, scm);
49} 53}
50 54
55#ifdef CONFIG_SECURITY_NETWORK
56static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
57{
58 if (test_bit(SOCK_PASSSEC, &sock->flags) && scm->secdata != NULL)
59 put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, scm->seclen, scm->secdata);
60}
61#else
62static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
63{ }
64#endif /* CONFIG_SECURITY_NETWORK */
65
51static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg, 66static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg,
52 struct scm_cookie *scm, int flags) 67 struct scm_cookie *scm, int flags)
53{ 68{
@@ -62,6 +77,8 @@ static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg,
62 if (test_bit(SOCK_PASSCRED, &sock->flags)) 77 if (test_bit(SOCK_PASSCRED, &sock->flags))
63 put_cmsg(msg, SOL_SOCKET, SCM_CREDENTIALS, sizeof(scm->creds), &scm->creds); 78 put_cmsg(msg, SOL_SOCKET, SCM_CREDENTIALS, sizeof(scm->creds), &scm->creds);
64 79
80 scm_passec(sock, msg, scm);
81
65 if (!scm->fp) 82 if (!scm->fp)
66 return; 83 return;
67 84
diff --git a/net/core/sock.c b/net/core/sock.c
index 5d820c376653..204a8dec65cc 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -565,6 +565,13 @@ set_rcvbuf:
565 ret = -ENONET; 565 ret = -ENONET;
566 break; 566 break;
567 567
568 case SO_PASSSEC:
569 if (valbool)
570 set_bit(SOCK_PASSSEC, &sock->flags);
571 else
572 clear_bit(SOCK_PASSSEC, &sock->flags);
573 break;
574
568 /* We implement the SO_SNDLOWAT etc to 575 /* We implement the SO_SNDLOWAT etc to
569 not be settable (1003.1g 5.3) */ 576 not be settable (1003.1g 5.3) */
570 default: 577 default:
@@ -723,6 +730,10 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
723 v.val = sk->sk_state == TCP_LISTEN; 730 v.val = sk->sk_state == TCP_LISTEN;
724 break; 731 break;
725 732
733 case SO_PASSSEC:
734 v.val = test_bit(SOCK_PASSSEC, &sock->flags) ? 1 : 0;
735 break;
736
726 case SO_PEERSEC: 737 case SO_PEERSEC:
727 return security_socket_getpeersec_stream(sock, optval, optlen, len); 738 return security_socket_getpeersec_stream(sock, optval, optlen, len);
728 739
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index d901465ce013..fd11d4048b52 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -128,6 +128,30 @@ static atomic_t unix_nr_socks = ATOMIC_INIT(0);
128 128
129#define UNIX_ABSTRACT(sk) (unix_sk(sk)->addr->hash != UNIX_HASH_SIZE) 129#define UNIX_ABSTRACT(sk) (unix_sk(sk)->addr->hash != UNIX_HASH_SIZE)
130 130
131#ifdef CONFIG_SECURITY_NETWORK
132static void unix_get_peersec_dgram(struct sk_buff *skb)
133{
134 int err;
135
136 err = security_socket_getpeersec_dgram(skb, UNIXSECDATA(skb),
137 UNIXSECLEN(skb));
138 if (err)
139 *(UNIXSECDATA(skb)) = NULL;
140}
141
142static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
143{
144 scm->secdata = *UNIXSECDATA(skb);
145 scm->seclen = *UNIXSECLEN(skb);
146}
147#else
148static void unix_get_peersec_dgram(struct sk_buff *skb)
149{ }
150
151static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
152{ }
153#endif /* CONFIG_SECURITY_NETWORK */
154
131/* 155/*
132 * SMP locking strategy: 156 * SMP locking strategy:
133 * hash table is protected with spinlock unix_table_lock 157 * hash table is protected with spinlock unix_table_lock
@@ -1291,6 +1315,8 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
1291 if (siocb->scm->fp) 1315 if (siocb->scm->fp)
1292 unix_attach_fds(siocb->scm, skb); 1316 unix_attach_fds(siocb->scm, skb);
1293 1317
1318 unix_get_peersec_dgram(skb);
1319
1294 skb->h.raw = skb->data; 1320 skb->h.raw = skb->data;
1295 err = memcpy_fromiovec(skb_put(skb,len), msg->msg_iov, len); 1321 err = memcpy_fromiovec(skb_put(skb,len), msg->msg_iov, len);
1296 if (err) 1322 if (err)
@@ -1570,6 +1596,7 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock,
1570 memset(&tmp_scm, 0, sizeof(tmp_scm)); 1596 memset(&tmp_scm, 0, sizeof(tmp_scm));
1571 } 1597 }
1572 siocb->scm->creds = *UNIXCREDS(skb); 1598 siocb->scm->creds = *UNIXCREDS(skb);
1599 unix_set_secdata(siocb->scm, skb);
1573 1600
1574 if (!(flags & MSG_PEEK)) 1601 if (!(flags & MSG_PEEK))
1575 { 1602 {
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b6c378dd4f12..b85afcf38527 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -69,6 +69,7 @@
69#include <linux/sysctl.h> 69#include <linux/sysctl.h>
70#include <linux/audit.h> 70#include <linux/audit.h>
71#include <linux/string.h> 71#include <linux/string.h>
72#include <linux/selinux.h>
72 73
73#include "avc.h" 74#include "avc.h"
74#include "objsec.h" 75#include "objsec.h"
@@ -3420,7 +3421,13 @@ out:
3420static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen) 3421static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3421{ 3422{
3422 int err = 0; 3423 int err = 0;
3423 u32 peer_sid = selinux_socket_getpeer_dgram(skb); 3424 u32 peer_sid;
3425
3426 if (skb->sk->sk_family == PF_UNIX)
3427 selinux_get_inode_sid(SOCK_INODE(skb->sk->sk_socket),
3428 &peer_sid);
3429 else
3430 peer_sid = selinux_socket_getpeer_dgram(skb);
3424 3431
3425 if (peer_sid == SECSID_NULL) 3432 if (peer_sid == SECSID_NULL)
3426 return -EINVAL; 3433 return -EINVAL;
@@ -3432,8 +3439,6 @@ static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata,
3432 return 0; 3439 return 0;
3433} 3440}
3434 3441
3435
3436
3437static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 3442static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3438{ 3443{
3439 return sk_alloc_security(sk, family, priority); 3444 return sk_alloc_security(sk, family, priority);