smack: unix sockets: fix accept()ed socket label

[ Upstream commit e86cac0acdb1a74f608bacefe702f2034133a047 ]

When a process accept()s connection from a unix socket
(either stream or seqpacket)
it gets the socket with the label of the connecting process.

For example, if a connecting process has a label 'foo',
the accept()ed socket will also have 'in' and 'out' labels 'foo',
regardless of the label of the listener process.

This is because kernel creates unix child sockets
in the context of the connecting process.

I do not see any obvious way for the listener to abuse
alien labels coming with the new socket, but,
to be on the safe side, it's better fix new socket labels.

Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 88bcda1f07bff852c3498d03ba1130fb9dd55422..92bc6c9d793d603c2c6374bc8b18eccc5cc40f08 100644 (file)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3642,12 +3642,18 @@ static int smack_unix_stream_connect(struct sock *sock,
                }
        }
 
-       /*
-        * Cross reference the peer labels for SO_PEERSEC.
-        */
        if (rc == 0) {
+               /*
+                * Cross reference the peer labels for SO_PEERSEC.
+                */
                nsp->smk_packet = ssp->smk_out;
                ssp->smk_packet = osp->smk_out;
+
+               /*
+                * new/child/established socket must inherit listening socket labels
+                */
+               nsp->smk_out = osp->smk_out;
+               nsp->smk_in  = osp->smk_in;
        }
 
        return rc;