summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2010-04-22 20:46:18 +0200
committerJames Morris <jmorris@namei.org>2010-08-02 07:34:37 +0200
commit4d1e24514d80cb266231d0c1b6c02161970ad019 (patch)
tree2de35d44c52dc1afa28c8f1bf294180817834a9d /security
parentTOMOYO: Pass "struct list_head" rather than "void *". (diff)
downloadlinux-4d1e24514d80cb266231d0c1b6c02161970ad019.tar.xz
linux-4d1e24514d80cb266231d0c1b6c02161970ad019.zip
selinux: Set the peer label correctly on connected UNIX domain sockets
Correct a problem where we weren't setting the peer label correctly on the client end of a pair of connected UNIX sockets. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c30
1 files changed, 14 insertions, 16 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5c9f25ba1c95..190fd0ffb13e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3980,34 +3980,32 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
struct socket *other,
struct sock *newsk)
{
- struct sk_security_struct *sksec;
- struct inode_security_struct *isec;
- struct inode_security_struct *other_isec;
+ struct sk_security_struct *sksec_sock = sock->sk->sk_security;
+ struct sk_security_struct *sksec_other = other->sk->sk_security;
+ struct sk_security_struct *sksec_new = newsk->sk_security;
struct common_audit_data ad;
int err;
- isec = SOCK_INODE(sock)->i_security;
- other_isec = SOCK_INODE(other)->i_security;
-
COMMON_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sk = other->sk;
- err = avc_has_perm(isec->sid, other_isec->sid,
- isec->sclass,
+ err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
+ sksec_other->sclass,
UNIX_STREAM_SOCKET__CONNECTTO, &ad);
if (err)
return err;
- /* connecting socket */
- sksec = sock->sk->sk_security;
- sksec->peer_sid = other_isec->sid;
-
/* server child socket */
- sksec = newsk->sk_security;
- sksec->peer_sid = isec->sid;
- err = security_sid_mls_copy(other_isec->sid, sksec->peer_sid, &sksec->sid);
+ sksec_new->peer_sid = sksec_sock->sid;
+ err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
+ &sksec_new->sid);
+ if (err)
+ return err;
- return err;
+ /* connecting socket */
+ sksec_sock->peer_sid = sksec_new->sid;
+
+ return 0;
}
static int selinux_socket_unix_may_send(struct socket *sock,