diff options
| author | Paul Moore <pmoore@redhat.com> | 2013-12-04 21:10:51 (GMT) |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-12-20 15:48:59 (GMT) |
| commit | a19895494f08db7e19951deae53359d9a1a74160 (patch) | |
| tree | c9e17c21cb3203f4e790a26c87c2fa2a14cca98e /net/mac80211/sta_info.c | |
| parent | 569ee4bda2ca11dffe1fc5594ee3787715cdb9d5 (diff) | |
| download | linux-fsl-qoriq-a19895494f08db7e19951deae53359d9a1a74160.tar.xz | |
selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()
commit 446b802437f285de68ffb8d6fac3c44c3cab5b04 upstream.
In selinux_ip_postroute() we perform access checks based on the
packet's security label. For locally generated traffic we get the
packet's security label from the associated socket; this works in all
cases except for TCP SYN-ACK packets. In the case of SYN-ACK packet's
the correct security label is stored in the connection's request_sock,
not the server's socket. Unfortunately, at the point in time when
selinux_ip_postroute() is called we can't query the request_sock
directly, we need to recreate the label using the same logic that
originally labeled the associated request_sock.
See the inline comments for more explanation.
Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
Tested-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/mac80211/sta_info.c')
0 files changed, 0 insertions, 0 deletions