summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2006-09-26 00:52:01 +0200
committerDavid S. Miller <davem@davemloft.net>2006-09-26 00:52:01 +0200
commit14a72f53fb1bb5d5c2bdd8cf172219519664729a (patch)
tree95a077fb9289a95c352af77f18f12e5aba3313c6 /security
parent[TCP]: make cubic the default (diff)
downloadlinux-14a72f53fb1bb5d5c2bdd8cf172219519664729a.tar.xz
linux-14a72f53fb1bb5d5c2bdd8cf172219519664729a.zip
[NetLabel]: correct improper handling of non-NetLabel peer contexts
Fix a problem where NetLabel would always set the value of sk_security_struct->peer_sid in selinux_netlbl_sock_graft() to the context of the socket, causing problems when users would query the context of the connection. This patch fixes this so that the value in sk_security_struct->peer_sid is only set when the connection is NetLabel based, otherwise the value is untouched. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/ss/services.c12
1 files changed, 11 insertions, 1 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 7eb69a602d8f..d67f7e658529 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2502,14 +2502,24 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
{
struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
struct sk_security_struct *sksec = sk->sk_security;
+ struct netlbl_lsm_secattr secattr;
+ u32 nlbl_peer_sid;
sksec->sclass = isec->sclass;
if (sk->sk_family != PF_INET)
return;
+ netlbl_secattr_init(&secattr);
+ if (netlbl_sock_getattr(sk, &secattr) == 0 &&
+ selinux_netlbl_secattr_to_sid(NULL,
+ &secattr,
+ sksec->sid,
+ &nlbl_peer_sid) == 0)
+ sksec->peer_sid = nlbl_peer_sid;
+ netlbl_secattr_destroy(&secattr, 0);
+
sksec->nlbl_state = NLBL_REQUIRE;
- sksec->peer_sid = sksec->sid;
/* Try to set the NetLabel on the socket to save time later, if we fail
* here we will pick up the pieces in later calls to