selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute() - linux-dev - Linux kernel development work

diff options

author	Paul Moore <pmoore@redhat.com>	2013-12-03 11:16:36 -0500
committer	Paul Moore <pmoore@redhat.com>	2013-12-04 16:07:28 -0500
commit	7f721643db3b2da53e1b91aaa4e8cb7706bfdd10 (patch)
tree	2265959ac11a9e6acce19ae68bb4b837af186fb5 /security/selinux/netlabel.c
parent	selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output() (diff)
download	linux-dev-7f721643db3b2da53e1b91aaa4e8cb7706bfdd10.tar.xz linux-dev-7f721643db3b2da53e1b91aaa4e8cb7706bfdd10.zip

selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()

In selinux_ip_postroute() we perform access checks based on the packet's security label. For locally generated traffic we get the packet's security label from the associated socket; this works in all cases except for TCP SYN-ACK packets. In the case of SYN-ACK packet's the correct security label is stored in the connection's request_sock, not the server's socket. Unfortunately, at the point in time when selinux_ip_postroute() is called we can't query the request_sock directly, we need to recreate the label using the same logic that originally labeled the associated request_sock. See the inline comments for more explanation. Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Tested-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>

Diffstat (limited to 'security/selinux/netlabel.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: