releases/3.14.16/crypto-af_alg-properly-label-af_alg-socket.patch

   1 From 4c63f83c2c2e16a13ce274ee678e28246bd33645 Mon Sep 17 00:00:00 2001
   2 From: Milan Broz <gmazyland@gmail.com>
   3 Date: Tue, 29 Jul 2014 18:41:09 +0000
   4 Subject: crypto: af_alg - properly label AF_ALG socket
   5
   6 From: Milan Broz <gmazyland@gmail.com>
   7
   8 commit 4c63f83c2c2e16a13ce274ee678e28246bd33645 upstream.
   9
  10 Th AF_ALG socket was missing a security label (e.g. SELinux)
  11 which means that socket was in "unlabeled" state.
  12
  13 This was recently demonstrated in the cryptsetup package
  14 (cryptsetup v1.6.5 and later.)
  15 See https://bugzilla.redhat.com/show_bug.cgi?id=1115120
  16
  17 This patch clones the sock's label from the parent sock
  18 and resolves the issue (similar to AF_BLUETOOTH protocol family).
  19
  20 Signed-off-by: Milan Broz <gmazyland@gmail.com>
  21 Acked-by: Paul Moore <paul@paul-moore.com>
  22 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  23 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  24
  25 ---
  26  crypto/af_alg.c |    2 ++
  27  1 file changed, 2 insertions(+)
  28
  29 --- a/crypto/af_alg.c
  30 +++ b/crypto/af_alg.c
  31 @@ -21,6 +21,7 @@
  32  #include <linux/module.h>
  33  #include <linux/net.h>
  34  #include <linux/rwsem.h>
  35 +#include <linux/security.h>
  36
  37  struct alg_type_list {
  38         const struct af_alg_type *type;
  39 @@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struc
  40
  41         sock_init_data(newsock, sk2);
  42         sock_graft(sk2, newsock);
  43 +       security_sk_clone(sk, sk2);
  44
  45         err = type->accept(ask->private, sk2);
  46         if (err) {