summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJames Morris <james.l.morris@oracle.com>2014-07-17 03:05:51 +1000
committerJames Morris <james.l.morris@oracle.com>2014-07-17 03:05:51 +1000
commitb6b8a371f5541c2b839caba84fede693f3fcc43d (patch)
tree8bee0d6e115133436a2a1781814cbc2e9f72629e
parentbd89bb78f35fd175db7a9cfc504d789b6ca0f7b0 (diff)
parent4da6daf4d3df5a977e4623963f141a627fd2efce (diff)
downloadlinux-b6b8a371f5541c2b839caba84fede693f3fcc43d.tar.bz2
Merge branch 'stable-3.16' of git://git.infradead.org/users/pcmoore/selinux into next
-rw-r--r--include/linux/security.h5
-rw-r--r--security/selinux/hooks.c13
2 files changed, 15 insertions, 3 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 9c6b9722ff48..59820f8782a1 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* Retrieve the LSM-specific secid for the sock to enable caching of network
* authorizations.
* @sock_graft:
- * Sets the socket's isec sid to the sock's sid.
+ * This hook is called in response to a newly created sock struct being
+ * grafted onto an existing socket and allows the security module to
+ * perform whatever security attribute management is necessary for both
+ * the sock and socket.
* @inet_conn_request:
* Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
* @inet_csk_clone:
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 83d06db34d03..a1ac1c5c729b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
struct sk_security_struct *sksec = sk->sk_security;
- if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
- sk->sk_family == PF_UNIX)
+ switch (sk->sk_family) {
+ case PF_INET:
+ case PF_INET6:
+ case PF_UNIX:
isec->sid = sksec->sid;
+ break;
+ default:
+ /* by default there is no special labeling mechanism for the
+ * sksec label so inherit the label from the parent socket */
+ BUG_ON(sksec->sid != SECINITSID_UNLABELED);
+ sksec->sid = isec->sid;
+ }
sksec->sclass = isec->sclass;
}