On Wednesday, December 23, 2015 04:44:09 PM Marcelo Ricardo Leitner wrote:
> From: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com>
> Accepted or peeled off sockets were missing a security label (e.g.
> SELinux) which means that socket was in "unlabeled" state.
> This patch clones the sock's label from the parent sock and resolves the
> issue (similar to AF_BLUETOOTH protocol family).
> Cc: Paul Moore <pmo...@redhat.com>
> Cc: David Teigland <teigl...@redhat.com>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com>
> net/sctp/socket.c | 2 ++
> 1 file changed, 2 insertions(+)
[NOTE: added the LSM and SELinux lists to the CC line as a FYI]
Proper SCTP support is on the SELinux todo list, but in the meantime it looks
like the patch below should at least ensure that SCTP sockets inherit their
parent's label which is probably the best we can hope for right now.
Acked-by: Paul Moore <p...@paul-moore.com>
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> a3499c8 100644 --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -7202,6 +7202,8 @@ void sctp_copy_sock(struct sock *newsk, struct sock
> if (newsk->sk_flags & SK_FLAGS_TIMESTAMP)
> + security_sk_clone(sk, newsk);
> static inline void sctp_copy_descendant(struct sock *sk_to,
To unsubscribe from this list: send the line "unsubscribe
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html