Commit fdd75ea8 authored by Stephen Smalley's avatar Stephen Smalley Committed by David S. Miller
Browse files

net/tipc: initialize security state for new connection socket 



Calling connect() with an AF_TIPC socket would trigger a series
of error messages from SELinux along the lines of:
SELinux: Invalid class 0
type=AVC msg=audit(1434126658.487:34500): avc:  denied  { <unprintable> }
  for pid=292 comm="kworker/u16:5" scontext=system_u:system_r:kernel_t:s0
  tcontext=system_u:object_r:unlabeled_t:s0 tclass=<unprintable>
  permissive=0

This was due to a failure to initialize the security state of the new
connection sock by the tipc code, leaving it with junk in the security
class field and an unlabeled secid.  Add a call to security_sk_clone()
to inherit the security state from the parent socket.

Reported-by: default avatarTim Shearer <tim.shearer@overturenetworks.com>
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Acked-by: default avatarPaul Moore <paul@paul-moore.com>
Acked-by: default avatarYing Xue <ying.xue@windriver.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 4df48e8c

net/tipc/socket.c

+1 −0
Original line number Diff line number Diff line
@@ -2007,6 +2007,7 @@ static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags) 
	res = tipc_sk_create(sock_net(sock->sk), new_sock, 0, 1);

	if (res)

		goto exit;

	security_sk_clone(sock->sk, new_sock->sk);



	new_sk = new_sock->sk;

	new_tsock = tipc_sk(new_sk);

CRA Git | Maintained and supported by SUSTech CRA and CCSE