diff options
| author | Paul Moore <pmoore@redhat.com> | 2014-07-28 10:42:48 -0400 |
|---|---|---|
| committer | Paul Moore <pmoore@redhat.com> | 2014-07-28 10:46:07 -0400 |
| commit | 2873ead7e46694910ac49c3a8ee0f54956f96e0c (patch) | |
| tree | ca9560e878d2842d45c6f99077d0d8b8f8b0f9ba | |
| parent | 4da6daf4d3df5a977e4623963f141a627fd2efce (diff) | |
Revert "selinux: fix the default socket labeling in sock_graft()"
This reverts commit 4da6daf4d3df5a977e4623963f141a627fd2efce.
Unfortunately, the commit in question caused problems with Bluetooth
devices, specifically it caused them to get caught in the newly
created BUG_ON() check. The AF_ALG problem still exists, but will be
addressed in a future patch.
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore <pmoore@redhat.com>
| -rw-r--r-- | include/linux/security.h | 5 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 13 |
2 files changed, 3 insertions, 15 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 794be735ff4b..6478ce3252c7 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -987,10 +987,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 987 | * Retrieve the LSM-specific secid for the sock to enable caching of network | 987 | * Retrieve the LSM-specific secid for the sock to enable caching of network |
| 988 | * authorizations. | 988 | * authorizations. |
| 989 | * @sock_graft: | 989 | * @sock_graft: |
| 990 | * This hook is called in response to a newly created sock struct being | 990 | * Sets the socket's isec sid to the sock's sid. |
| 991 | * grafted onto an existing socket and allows the security module to | ||
| 992 | * perform whatever security attribute management is necessary for both | ||
| 993 | * the sock and socket. | ||
| 994 | * @inet_conn_request: | 991 | * @inet_conn_request: |
| 995 | * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid. | 992 | * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid. |
| 996 | * @inet_csk_clone: | 993 | * @inet_csk_clone: |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b3a6754e932b..336f0a04450e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -4499,18 +4499,9 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent) | |||
| 4499 | struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; | 4499 | struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; |
| 4500 | struct sk_security_struct *sksec = sk->sk_security; | 4500 | struct sk_security_struct *sksec = sk->sk_security; |
| 4501 | 4501 | ||
| 4502 | switch (sk->sk_family) { | 4502 | if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || |
| 4503 | case PF_INET: | 4503 | sk->sk_family == PF_UNIX) |
| 4504 | case PF_INET6: | ||
| 4505 | case PF_UNIX: | ||
| 4506 | isec->sid = sksec->sid; | 4504 | isec->sid = sksec->sid; |
| 4507 | break; | ||
| 4508 | default: | ||
| 4509 | /* by default there is no special labeling mechanism for the | ||
| 4510 | * sksec label so inherit the label from the parent socket */ | ||
| 4511 | BUG_ON(sksec->sid != SECINITSID_UNLABELED); | ||
| 4512 | sksec->sid = isec->sid; | ||
| 4513 | } | ||
| 4514 | sksec->sclass = isec->sclass; | 4505 | sksec->sclass = isec->sclass; |
| 4515 | } | 4506 | } |
| 4516 | 4507 | ||