diff options
| author | Paul Moore <paul.moore@hp.com> | 2010-04-22 14:46:18 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2010-08-02 01:34:37 -0400 |
| commit | 4d1e24514d80cb266231d0c1b6c02161970ad019 (patch) | |
| tree | 2de35d44c52dc1afa28c8f1bf294180817834a9d /security/selinux | |
| parent | e79acf0ef45e0b54aed47ebea7f25c540d3f527e (diff) | |
selinux: Set the peer label correctly on connected UNIX domain sockets
Correct a problem where we weren't setting the peer label correctly on
the client end of a pair of connected UNIX sockets.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/hooks.c | 30 |
1 files changed, 14 insertions, 16 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5c9f25ba1c95..190fd0ffb13e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -3980,34 +3980,32 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, | |||
| 3980 | struct socket *other, | 3980 | struct socket *other, |
| 3981 | struct sock *newsk) | 3981 | struct sock *newsk) |
| 3982 | { | 3982 | { |
| 3983 | struct sk_security_struct *sksec; | 3983 | struct sk_security_struct *sksec_sock = sock->sk->sk_security; |
| 3984 | struct inode_security_struct *isec; | 3984 | struct sk_security_struct *sksec_other = other->sk->sk_security; |
| 3985 | struct inode_security_struct *other_isec; | 3985 | struct sk_security_struct *sksec_new = newsk->sk_security; |
| 3986 | struct common_audit_data ad; | 3986 | struct common_audit_data ad; |
| 3987 | int err; | 3987 | int err; |
| 3988 | 3988 | ||
| 3989 | isec = SOCK_INODE(sock)->i_security; | ||
| 3990 | other_isec = SOCK_INODE(other)->i_security; | ||
| 3991 | |||
| 3992 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 3989 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
| 3993 | ad.u.net.sk = other->sk; | 3990 | ad.u.net.sk = other->sk; |
| 3994 | 3991 | ||
| 3995 | err = avc_has_perm(isec->sid, other_isec->sid, | 3992 | err = avc_has_perm(sksec_sock->sid, sksec_other->sid, |
| 3996 | isec->sclass, | 3993 | sksec_other->sclass, |
| 3997 | UNIX_STREAM_SOCKET__CONNECTTO, &ad); | 3994 | UNIX_STREAM_SOCKET__CONNECTTO, &ad); |
| 3998 | if (err) | 3995 | if (err) |
| 3999 | return err; | 3996 | return err; |
| 4000 | 3997 | ||
| 4001 | /* connecting socket */ | ||
| 4002 | sksec = sock->sk->sk_security; | ||
| 4003 | sksec->peer_sid = other_isec->sid; | ||
| 4004 | |||
| 4005 | /* server child socket */ | 3998 | /* server child socket */ |
| 4006 | sksec = newsk->sk_security; | 3999 | sksec_new->peer_sid = sksec_sock->sid; |
| 4007 | sksec->peer_sid = isec->sid; | 4000 | err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, |
| 4008 | err = security_sid_mls_copy(other_isec->sid, sksec->peer_sid, &sksec->sid); | 4001 | &sksec_new->sid); |
| 4002 | if (err) | ||
| 4003 | return err; | ||
| 4009 | 4004 | ||
| 4010 | return err; | 4005 | /* connecting socket */ |
| 4006 | sksec_sock->peer_sid = sksec_new->sid; | ||
| 4007 | |||
| 4008 | return 0; | ||
| 4011 | } | 4009 | } |
| 4012 | 4010 | ||
| 4013 | static int selinux_socket_unix_may_send(struct socket *sock, | 4011 | static int selinux_socket_unix_may_send(struct socket *sock, |