1 files changed, 23 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 777ee98273d1..877bab748c87 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -53,6 +53,7 @@
 #include <net/ip.h>             /* for local_port_range[] */
 #include <net/sock.h>
 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
+#include <net/inet_connection_sock.h>
 #include <net/net_namespace.h>
 #include <net/netlabel.h>
 #include <linux/uaccess.h>
@@ -4731,6 +4732,7 @@ static unsigned int selinux_ipv6_forward(unsigned int hooknum,
 static unsigned int selinux_ip_output(struct sk_buff *skb,
                                      u16 family)
 {
+        struct sock *sk;
        u32 sid;
        if (!netlbl_enabled())
@@ -4739,8 +4741,27 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
        /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
         * because we want to make sure we apply the necessary labeling
         * before IPsec is applied so we can leverage AH protection */
-        if (skb->sk) {
+        sk = skb->sk;
-                struct sk_security_struct *sksec = skb->sk->sk_security;
+        if (sk) {
+                struct sk_security_struct *sksec;
+                if (sk->sk_state == TCP_LISTEN)
+                        /* if the socket is the listening state then this
+                         * packet is a SYN-ACK packet which means it needs to
+                         * be labeled based on the connection/request_sock and
+                         * not the parent socket.  unfortunately, we can't
+                         * lookup the request_sock yet as it isn't queued on
+                         * the parent socket until after the SYN-ACK is sent.
+                         * the "solution" is to simply pass the packet as-is
+                         * as any IP option based labeling should be copied
+                         * from the initial connection request (in the IP
+                         * layer).  it is far from ideal, but until we get a
+                         * security label in the packet itself this is the
+                         * best we can do. */
+                        return NF_ACCEPT;
+                /* standard practice, label using the parent socket */
+                sksec = sk->sk_security;
                sid = sksec->sid;
        } else
                sid = SECINITSID_KERNEL;

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 777ee98273d1..877bab748c87 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -53,6 +53,7 @@
53	#include <net/ip.h> /* for local_port_range[] */	53	#include <net/ip.h> /* for local_port_range[] */
54	#include <net/sock.h>	54	#include <net/sock.h>
55	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */	55	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
		56	#include <net/inet_connection_sock.h>
56	#include <net/net_namespace.h>	57	#include <net/net_namespace.h>
57	#include <net/netlabel.h>	58	#include <net/netlabel.h>
58	#include <linux/uaccess.h>	59	#include <linux/uaccess.h>
@@ -4731,6 +4732,7 @@ static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4731	static unsigned int selinux_ip_output(struct sk_buff *skb,	4732	static unsigned int selinux_ip_output(struct sk_buff *skb,
4732	u16 family)	4733	u16 family)
4733	{	4734	{
		4735	struct sock *sk;
4734	u32 sid;	4736	u32 sid;
4735		4737
4736	if (!netlbl_enabled())	4738	if (!netlbl_enabled())
@@ -4739,8 +4741,27 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
4739	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path	4741	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4740	* because we want to make sure we apply the necessary labeling	4742	* because we want to make sure we apply the necessary labeling
4741	* before IPsec is applied so we can leverage AH protection */	4743	* before IPsec is applied so we can leverage AH protection */
4742	if (skb->sk) {	4744	sk = skb->sk;
4743	struct sk_security_struct *sksec = skb->sk->sk_security;	4745	if (sk) {
		4746	struct sk_security_struct *sksec;
		4747
		4748	if (sk->sk_state == TCP_LISTEN)
		4749	/* if the socket is the listening state then this
		4750	* packet is a SYN-ACK packet which means it needs to
		4751	* be labeled based on the connection/request_sock and
		4752	* not the parent socket. unfortunately, we can't
		4753	* lookup the request_sock yet as it isn't queued on
		4754	* the parent socket until after the SYN-ACK is sent.
		4755	* the "solution" is to simply pass the packet as-is
		4756	* as any IP option based labeling should be copied
		4757	* from the initial connection request (in the IP
		4758	* layer). it is far from ideal, but until we get a
		4759	* security label in the packet itself this is the
		4760	* best we can do. */
		4761	return NF_ACCEPT;
		4762
		4763	/* standard practice, label using the parent socket */
		4764	sksec = sk->sk_security;
4744	sid = sksec->sid;	4765	sid = sksec->sid;
4745	} else	4766	} else
4746	sid = SECINITSID_KERNEL;	4767	sid = SECINITSID_KERNEL;