From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 7 Jul 2015 13:43:45 +0000 (-0400)
Subject: net/tipc: initialize security state for new connection socket
X-Git-Tag: firefly_0821_release~3679^2~95
X-Git-Url: http://plrg.eecs.uci.edu/git/?a=commitdiff_plain;h=afabf2a8b621f2c300cbdf6adb0f8855f612b3a6;p=firefly-linux-kernel-4.4.55.git

net/tipc: initialize security state for new connection socket

[ Upstream commit fdd75ea8df370f206a8163786e7470c1277a5064 ]

Calling connect() with an AF_TIPC socket would trigger a series
of error messages from SELinux along the lines of:
SELinux: Invalid class 0
type=AVC msg=audit(1434126658.487:34500): avc:  denied  { <unprintable> }
  for pid=292 comm="kworker/u16:5" scontext=system_u:system_r:kernel_t:s0
  tcontext=system_u:object_r:unlabeled_t:s0 tclass=<unprintable>
  permissive=0

This was due to a failure to initialize the security state of the new
connection sock by the tipc code, leaving it with junk in the security
class field and an unlabeled secid.  Add a call to security_sk_clone()
to inherit the security state from the parent socket.

Reported-by: Tim Shearer <tim.shearer@overturenetworks.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 2b1d7c2d677d..e0cb5edc6d1d 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1528,6 +1528,7 @@ static int accept(struct socket *sock, struct socket *new_sock, int flags)
 	res = tipc_create(sock_net(sock->sk), new_sock, 0, 0);
 	if (res)
 		goto exit;
+	security_sk_clone(sock->sk, new_sock->sk);
 
 	new_sk = new_sock->sk;
 	new_tsock = tipc_sk(new_sk);