From: Paul Moore <paul@paul-moore.com>
To: Milan Broz <gmazyland@gmail.com>,
linux-crypto@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>
Cc: selinux@tycho.nsa.gov
Subject: Re: [PATCH] crypto: properly label AF_ALG socket
Date: Wed, 30 Jul 2014 11:01:14 -0400 [thread overview]
Message-ID: <10347850.4JK0gCtsfF@sifl> (raw)
In-Reply-To: <1406659269-8346-1-git-send-email-gmazyland@gmail.com>
On Tuesday, July 29, 2014 08:41:09 PM Milan Broz wrote:
> Th AF_ALG socket was missing a security label (e.g. SELinux)
> which means that socket was in "unlabeled" state.
>
> This was recently demonstrated in the cryptsetup package
> (cryptsetup v1.6.5 and later.)
> See https://bugzilla.redhat.com/show_bug.cgi?id=1115120
>
> This patch clones the sock's label from the parent sock
> and resolves the issue (similar to AF_BLUETOOTH protocol family).
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Milan Broz <gmazyland@gmail.com>
> ---
> crypto/af_alg.c | 2 ++
> 1 file changed, 2 insertions(+)
Thanks Milan, this patch looks good to me. Crypto folks, assuming no
objections, could you try to push this patch this week so it hits 3.16 proper
(assuming no more -rc releases)? Without this patch the latest versions of
cryptsetup could fail on a SELinux system leaving the system unable to boot
with SELinux in enforcing mode.
Acked-by: Paul Moore <paul@paul-moore.com>
> diff --git a/crypto/af_alg.c b/crypto/af_alg.c
> index 966f893..6a3ad80 100644
> --- a/crypto/af_alg.c
> +++ b/crypto/af_alg.c
> @@ -21,6 +21,7 @@
> #include <linux/module.h>
> #include <linux/net.h>
> #include <linux/rwsem.h>
> +#include <linux/security.h>
>
> struct alg_type_list {
> const struct af_alg_type *type;
> @@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struct socket
> *newsock)
>
> sock_init_data(newsock, sk2);
> sock_graft(sk2, newsock);
> + security_sk_clone(sk, sk2);
>
> err = type->accept(ask->private, sk2);
> if (err) {
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2014-07-30 15:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-28 15:09 [PATCH] Revert "selinux: fix the default socket labeling in sock_graft()" Paul Moore
2014-07-29 18:41 ` [PATCH] crypto: properly label AF_ALG socket Milan Broz
2014-07-29 18:41 ` Milan Broz
2014-07-30 15:01 ` Paul Moore [this message]
2014-07-31 13:55 ` Herbert Xu
2014-07-31 13:55 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10347850.4JK0gCtsfF@sifl \
--to=paul@paul-moore.com \
--cc=gmazyland@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.