summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLontke Michael <michael.lontke@elektrobit.com>2022-08-31 14:03:26 +0200
committerCasey Schaufler <casey@schaufler-ca.com>2022-09-27 10:33:03 -0700
commit4ca165fc6c49c3b0100f61524ffbca4743d46e8d (patch)
treed4173b1c3e8290074b3329be13e39a44d2d51629
parentb90cb1053190353cc30f0fef0ef1f378ccc063c5 (diff)
downloadlinux-4ca165fc6c49c3b0100f61524ffbca4743d46e8d.tar.gz
linux-4ca165fc6c49c3b0100f61524ffbca4743d46e8d.tar.bz2
linux-4ca165fc6c49c3b0100f61524ffbca4743d46e8d.zip
SMACK: Add sk_clone_security LSM hook
Using smk_of_current() during sk_alloc_security hook leads in rare cases to a faulty initialization of the security context of the created socket. By adding the LSM hook sk_clone_security to SMACK this initialization fault is corrected by copying the security context of the old socket pointer to the newly cloned one. Co-authored-by: Martin Ostertag: <martin.ostertag@elektrobit.com> Signed-off-by: Lontke Michael <michael.lontke@elektrobit.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
-rw-r--r--security/smack/smack_lsm.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 001831458fa2..077bf6fd569b 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2279,6 +2279,21 @@ static void smack_sk_free_security(struct sock *sk)
}
/**
+ * smack_sk_clone_security - Copy security context
+ * @sk: the old socket
+ * @newsk: the new socket
+ *
+ * Copy the security context of the old socket pointer to the cloned
+ */
+static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk)
+{
+ struct socket_smack *ssp_old = sk->sk_security;
+ struct socket_smack *ssp_new = newsk->sk_security;
+
+ *ssp_new = *ssp_old;
+}
+
+/**
* smack_ipv4host_label - check host based restrictions
* @sip: the object end
*
@@ -4851,6 +4866,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram),
LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security),
LSM_HOOK_INIT(sk_free_security, smack_sk_free_security),
+ LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security),
LSM_HOOK_INIT(sock_graft, smack_sock_graft),
LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request),
LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone),