diff options
-rw-r--r-- | security/selinux/hooks.c | 32 |
1 files changed, 12 insertions, 20 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 190fd0ffb13e..2d94a406574e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -3671,6 +3671,12 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) | |||
3671 | } | 3671 | } |
3672 | 3672 | ||
3673 | /* socket security operations */ | 3673 | /* socket security operations */ |
3674 | |||
3675 | static u32 socket_sockcreate_sid(const struct task_security_struct *tsec) | ||
3676 | { | ||
3677 | return tsec->sockcreate_sid ? : tsec->sid; | ||
3678 | } | ||
3679 | |||
3674 | static int socket_has_perm(struct task_struct *task, struct socket *sock, | 3680 | static int socket_has_perm(struct task_struct *task, struct socket *sock, |
3675 | u32 perms) | 3681 | u32 perms) |
3676 | { | 3682 | { |
@@ -3698,21 +3704,15 @@ static int selinux_socket_create(int family, int type, | |||
3698 | { | 3704 | { |
3699 | const struct cred *cred = current_cred(); | 3705 | const struct cred *cred = current_cred(); |
3700 | const struct task_security_struct *tsec = cred->security; | 3706 | const struct task_security_struct *tsec = cred->security; |
3701 | u32 sid, newsid; | 3707 | u32 newsid; |
3702 | u16 secclass; | 3708 | u16 secclass; |
3703 | int err = 0; | ||
3704 | 3709 | ||
3705 | if (kern) | 3710 | if (kern) |
3706 | goto out; | 3711 | return 0; |
3707 | |||
3708 | sid = tsec->sid; | ||
3709 | newsid = tsec->sockcreate_sid ?: sid; | ||
3710 | 3712 | ||
3713 | newsid = socket_sockcreate_sid(tsec); | ||
3711 | secclass = socket_type_to_security_class(family, type, protocol); | 3714 | secclass = socket_type_to_security_class(family, type, protocol); |
3712 | err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL); | 3715 | return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); |
3713 | |||
3714 | out: | ||
3715 | return err; | ||
3716 | } | 3716 | } |
3717 | 3717 | ||
3718 | static int selinux_socket_post_create(struct socket *sock, int family, | 3718 | static int selinux_socket_post_create(struct socket *sock, int family, |
@@ -3720,22 +3720,14 @@ static int selinux_socket_post_create(struct socket *sock, int family, | |||
3720 | { | 3720 | { |
3721 | const struct cred *cred = current_cred(); | 3721 | const struct cred *cred = current_cred(); |
3722 | const struct task_security_struct *tsec = cred->security; | 3722 | const struct task_security_struct *tsec = cred->security; |
3723 | struct inode_security_struct *isec; | 3723 | struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; |
3724 | struct sk_security_struct *sksec; | 3724 | struct sk_security_struct *sksec; |
3725 | u32 sid, newsid; | ||
3726 | int err = 0; | 3725 | int err = 0; |
3727 | 3726 | ||
3728 | sid = tsec->sid; | ||
3729 | newsid = tsec->sockcreate_sid; | ||
3730 | |||
3731 | isec = SOCK_INODE(sock)->i_security; | ||
3732 | |||
3733 | if (kern) | 3727 | if (kern) |
3734 | isec->sid = SECINITSID_KERNEL; | 3728 | isec->sid = SECINITSID_KERNEL; |
3735 | else if (newsid) | ||
3736 | isec->sid = newsid; | ||
3737 | else | 3729 | else |
3738 | isec->sid = sid; | 3730 | isec->sid = socket_sockcreate_sid(tsec); |
3739 | 3731 | ||
3740 | isec->sclass = socket_type_to_security_class(family, type, protocol); | 3732 | isec->sclass = socket_type_to_security_class(family, type, protocol); |
3741 | isec->initialized = 1; | 3733 | isec->initialized = 1; |