diff options
-rw-r--r-- | security/selinux/hooks.c | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 777ee98273d1..877bab748c87 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -53,6 +53,7 @@ | |||
53 | #include <net/ip.h> /* for local_port_range[] */ | 53 | #include <net/ip.h> /* for local_port_range[] */ |
54 | #include <net/sock.h> | 54 | #include <net/sock.h> |
55 | #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ | 55 | #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ |
56 | #include <net/inet_connection_sock.h> | ||
56 | #include <net/net_namespace.h> | 57 | #include <net/net_namespace.h> |
57 | #include <net/netlabel.h> | 58 | #include <net/netlabel.h> |
58 | #include <linux/uaccess.h> | 59 | #include <linux/uaccess.h> |
@@ -4731,6 +4732,7 @@ static unsigned int selinux_ipv6_forward(unsigned int hooknum, | |||
4731 | static unsigned int selinux_ip_output(struct sk_buff *skb, | 4732 | static unsigned int selinux_ip_output(struct sk_buff *skb, |
4732 | u16 family) | 4733 | u16 family) |
4733 | { | 4734 | { |
4735 | struct sock *sk; | ||
4734 | u32 sid; | 4736 | u32 sid; |
4735 | 4737 | ||
4736 | if (!netlbl_enabled()) | 4738 | if (!netlbl_enabled()) |
@@ -4739,8 +4741,27 @@ static unsigned int selinux_ip_output(struct sk_buff *skb, | |||
4739 | /* we do this in the LOCAL_OUT path and not the POST_ROUTING path | 4741 | /* we do this in the LOCAL_OUT path and not the POST_ROUTING path |
4740 | * because we want to make sure we apply the necessary labeling | 4742 | * because we want to make sure we apply the necessary labeling |
4741 | * before IPsec is applied so we can leverage AH protection */ | 4743 | * before IPsec is applied so we can leverage AH protection */ |
4742 | if (skb->sk) { | 4744 | sk = skb->sk; |
4743 | struct sk_security_struct *sksec = skb->sk->sk_security; | 4745 | if (sk) { |
4746 | struct sk_security_struct *sksec; | ||
4747 | |||
4748 | if (sk->sk_state == TCP_LISTEN) | ||
4749 | /* if the socket is the listening state then this | ||
4750 | * packet is a SYN-ACK packet which means it needs to | ||
4751 | * be labeled based on the connection/request_sock and | ||
4752 | * not the parent socket. unfortunately, we can't | ||
4753 | * lookup the request_sock yet as it isn't queued on | ||
4754 | * the parent socket until after the SYN-ACK is sent. | ||
4755 | * the "solution" is to simply pass the packet as-is | ||
4756 | * as any IP option based labeling should be copied | ||
4757 | * from the initial connection request (in the IP | ||
4758 | * layer). it is far from ideal, but until we get a | ||
4759 | * security label in the packet itself this is the | ||
4760 | * best we can do. */ | ||
4761 | return NF_ACCEPT; | ||
4762 | |||
4763 | /* standard practice, label using the parent socket */ | ||
4764 | sksec = sk->sk_security; | ||
4744 | sid = sksec->sid; | 4765 | sid = sksec->sid; |
4745 | } else | 4766 | } else |
4746 | sid = SECINITSID_KERNEL; | 4767 | sid = SECINITSID_KERNEL; |