aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2015-07-07 09:43:45 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2015-10-01 12:07:35 +0200
commitafabf2a8b621f2c300cbdf6adb0f8855f612b3a6 (patch)
tree2706a3c39886c852bc43c6eb4650155c221c168a
parent3b9393dc1d4cc226bce44708ab899518cc598e57 (diff)
downloadlinux-linaro-stable-afabf2a8b621f2c300cbdf6adb0f8855f612b3a6.tar.gz
net/tipc: initialize security state for new connection socket
[ Upstream commit fdd75ea8df370f206a8163786e7470c1277a5064 ] Calling connect() with an AF_TIPC socket would trigger a series of error messages from SELinux along the lines of: SELinux: Invalid class 0 type=AVC msg=audit(1434126658.487:34500): avc: denied { <unprintable> } for pid=292 comm="kworker/u16:5" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=<unprintable> permissive=0 This was due to a failure to initialize the security state of the new connection sock by the tipc code, leaving it with junk in the security class field and an unlabeled secid. Add a call to security_sk_clone() to inherit the security state from the parent socket. Reported-by: Tim Shearer <tim.shearer@overturenetworks.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Paul Moore <paul@paul-moore.com> Acked-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--net/tipc/socket.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 2b1d7c2d677d..e0cb5edc6d1d 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1528,6 +1528,7 @@ static int accept(struct socket *sock, struct socket *new_sock, int flags)
res = tipc_create(sock_net(sock->sk), new_sock, 0, 0);
if (res)
goto exit;
+ security_sk_clone(sock->sk, new_sock->sk);
new_sk = new_sock->sk;
new_tsock = tipc_sk(new_sk);