summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <pmoore@redhat.com>2014-07-28 10:42:48 -0400
committerPaul Moore <pmoore@redhat.com>2014-07-28 10:46:07 -0400
commit2873ead7e46694910ac49c3a8ee0f54956f96e0c (patch)
treeca9560e878d2842d45c6f99077d0d8b8f8b0f9ba
parent4da6daf4d3df5a977e4623963f141a627fd2efce (diff)
Revert "selinux: fix the default socket labeling in sock_graft()"
This reverts commit 4da6daf4d3df5a977e4623963f141a627fd2efce. Unfortunately, the commit in question caused problems with Bluetooth devices, specifically it caused them to get caught in the newly created BUG_ON() check. The AF_ALG problem still exists, but will be addressed in a future patch. Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
-rw-r--r--include/linux/security.h5
-rw-r--r--security/selinux/hooks.c13
2 files changed, 3 insertions, 15 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 794be735ff4..6478ce3252c 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -987,10 +987,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* Retrieve the LSM-specific secid for the sock to enable caching of network
* authorizations.
* @sock_graft:
- * This hook is called in response to a newly created sock struct being
- * grafted onto an existing socket and allows the security module to
- * perform whatever security attribute management is necessary for both
- * the sock and socket.
+ * Sets the socket's isec sid to the sock's sid.
* @inet_conn_request:
* Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
* @inet_csk_clone:
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b3a6754e932..336f0a04450 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4499,18 +4499,9 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
struct sk_security_struct *sksec = sk->sk_security;
- switch (sk->sk_family) {
- case PF_INET:
- case PF_INET6:
- case PF_UNIX:
+ if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
+ sk->sk_family == PF_UNIX)
isec->sid = sksec->sid;
- break;
- default:
- /* by default there is no special labeling mechanism for the
- * sksec label so inherit the label from the parent socket */
- BUG_ON(sksec->sid != SECINITSID_UNLABELED);
- sksec->sid = isec->sid;
- }
sksec->sclass = isec->sclass;
}