| Message ID | 20210329182443.1960963-1-dbrazdil@google.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [pre-5.10] selinux: vsock: Set SID for socket returned by accept() | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Guessing tree name failed - patch did not apply |
On Mon, Mar 29, 2021 at 06:24:43PM +0000, David Brazdil wrote: >[Backport of commit 1f935e8e72ec28dddb2dc0650b3b6626a293d94b to all >stable branches from 4.4 to 5.4, inclusive] > >For AF_VSOCK, accept() currently returns sockets that are unlabelled. >Other socket families derive the child's SID from the SID of the parent >and the SID of the incoming packet. This is typically done as the >connected socket is placed in the queue that accept() removes from. > >Reuse the existing 'security_sk_clone' hook to copy the SID from the >parent (server) socket to the child. There is no packet SID in this >case. Queued up, thanks!
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index 5d323574d04f..c82e7b52ab1f 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -620,6 +620,7 @@ struct sock *__vsock_create(struct net *net, vsk->trusted = psk->trusted; vsk->owner = get_cred(psk->owner); vsk->connect_timeout = psk->connect_timeout; + security_sk_clone(parent, sk); } else { vsk->trusted = ns_capable_noaudit(&init_user_ns, CAP_NET_ADMIN); vsk->owner = get_current_cred();
[Backport of commit 1f935e8e72ec28dddb2dc0650b3b6626a293d94b to all stable branches from 4.4 to 5.4, inclusive] For AF_VSOCK, accept() currently returns sockets that are unlabelled. Other socket families derive the child's SID from the SID of the parent and the SID of the incoming packet. This is typically done as the connected socket is placed in the queue that accept() removes from. Reuse the existing 'security_sk_clone' hook to copy the SID from the parent (server) socket to the child. There is no packet SID in this case. Cc: stable@vger.kernel.org Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") Signed-off-by: David Brazdil <dbrazdil@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> --- net/vmw_vsock/af_vsock.c | 1 + 1 file changed, 1 insertion(+)