From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933851AbbIDNlu (ORCPT ); Fri, 4 Sep 2015 09:41:50 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:50100 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932904AbbIDNJm (ORCPT ); Fri, 4 Sep 2015 09:09:42 -0400 From: Luis Henriques To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, kernel-team@lists.ubuntu.com Cc: Stephen Smalley , "David S. Miller" , Luis Henriques Subject: [PATCH 3.16.y-ckt 065/130] net/tipc: initialize security state for new connection socket Date: Fri, 4 Sep 2015 14:07:33 +0100 Message-Id: <1441372118-5933-66-git-send-email-luis.henriques@canonical.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1441372118-5933-1-git-send-email-luis.henriques@canonical.com> References: <1441372118-5933-1-git-send-email-luis.henriques@canonical.com> X-Extended-Stable: 3.16 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.7-ckt17 -stable review patch. If anyone has any objections, please let me know. ------------------ From: Stephen Smalley commit fdd75ea8df370f206a8163786e7470c1277a5064 upstream. Calling connect() with an AF_TIPC socket would trigger a series of error messages from SELinux along the lines of: SELinux: Invalid class 0 type=AVC msg=audit(1434126658.487:34500): avc: denied { } for pid=292 comm="kworker/u16:5" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass= permissive=0 This was due to a failure to initialize the security state of the new connection sock by the tipc code, leaving it with junk in the security class field and an unlabeled secid. Add a call to security_sk_clone() to inherit the security state from the parent socket. Reported-by: Tim Shearer Signed-off-by: Stephen Smalley Acked-by: Paul Moore Acked-by: Ying Xue Signed-off-by: David S. Miller Signed-off-by: Luis Henriques --- net/tipc/socket.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/tipc/socket.c b/net/tipc/socket.c index 4093fd81edd5..9dee1aabcfc0 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -1696,6 +1696,7 @@ static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags) res = tipc_sk_create(sock_net(sock->sk), new_sock, 0, 1); if (res) goto exit; + security_sk_clone(sock->sk, new_sock->sk); new_sk = new_sock->sk; new_port = &tipc_sk(new_sk)->port;