diff options
author | Paul Moore <paul.moore@hp.com> | 2010-04-22 14:46:18 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2010-08-02 15:34:37 +1000 |
commit | 4d1e24514d80cb266231d0c1b6c02161970ad019 (patch) | |
tree | 2de35d44c52dc1afa28c8f1bf294180817834a9d /security | |
parent | e79acf0ef45e0b54aed47ebea7f25c540d3f527e (diff) | |
download | lwn-4d1e24514d80cb266231d0c1b6c02161970ad019.tar.gz lwn-4d1e24514d80cb266231d0c1b6c02161970ad019.zip |
selinux: Set the peer label correctly on connected UNIX domain sockets
Correct a problem where we weren't setting the peer label correctly on
the client end of a pair of connected UNIX sockets.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 30 |
1 files changed, 14 insertions, 16 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5c9f25ba1c95..190fd0ffb13e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3980,34 +3980,32 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, struct socket *other, struct sock *newsk) { - struct sk_security_struct *sksec; - struct inode_security_struct *isec; - struct inode_security_struct *other_isec; + struct sk_security_struct *sksec_sock = sock->sk->sk_security; + struct sk_security_struct *sksec_other = other->sk->sk_security; + struct sk_security_struct *sksec_new = newsk->sk_security; struct common_audit_data ad; int err; - isec = SOCK_INODE(sock)->i_security; - other_isec = SOCK_INODE(other)->i_security; - COMMON_AUDIT_DATA_INIT(&ad, NET); ad.u.net.sk = other->sk; - err = avc_has_perm(isec->sid, other_isec->sid, - isec->sclass, + err = avc_has_perm(sksec_sock->sid, sksec_other->sid, + sksec_other->sclass, UNIX_STREAM_SOCKET__CONNECTTO, &ad); if (err) return err; - /* connecting socket */ - sksec = sock->sk->sk_security; - sksec->peer_sid = other_isec->sid; - /* server child socket */ - sksec = newsk->sk_security; - sksec->peer_sid = isec->sid; - err = security_sid_mls_copy(other_isec->sid, sksec->peer_sid, &sksec->sid); + sksec_new->peer_sid = sksec_sock->sid; + err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, + &sksec_new->sid); + if (err) + return err; - return err; + /* connecting socket */ + sksec_sock->peer_sid = sksec_new->sid; + + return 0; } static int selinux_socket_unix_may_send(struct socket *sock, |