diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2015-07-07 09:43:45 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2015-09-29 19:26:21 +0200 |
| commit | bb18cdc8b40e14a36fff015e794724e989af426c (patch) | |
| tree | 36de90605ca60dc78fac99d9728e80f4da8eaca3 /net/tipc | |
| parent | 952f21eb0cd26e07b9a9e0639c0bd9453caee441 (diff) | |
net/tipc: initialize security state for new connection socket
[ Upstream commit fdd75ea8df370f206a8163786e7470c1277a5064 ]
Calling connect() with an AF_TIPC socket would trigger a series
of error messages from SELinux along the lines of:
SELinux: Invalid class 0
type=AVC msg=audit(1434126658.487:34500): avc: denied { <unprintable> }
for pid=292 comm="kworker/u16:5" scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=<unprintable>
permissive=0
This was due to a failure to initialize the security state of the new
connection sock by the tipc code, leaving it with junk in the security
class field and an unlabeled secid. Add a call to security_sk_clone()
to inherit the security state from the parent socket.
Reported-by: Tim Shearer <tim.shearer@overturenetworks.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/tipc')
| -rw-r--r-- | net/tipc/socket.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/tipc/socket.c b/net/tipc/socket.c index f485600c4507..20cc6df07157 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -2009,6 +2009,7 @@ static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags) res = tipc_sk_create(sock_net(sock->sk), new_sock, 0, 1); if (res) goto exit; + security_sk_clone(sock->sk, new_sock->sk); new_sk = new_sock->sk; new_tsock = tipc_sk(new_sk); |