Merge branch 'stable-3.16' of git://git.infradead.org/users/pcmoore/selinux into...

diff --git a/include/linux/security.h b/include/linux/security.h
index 9c6b9722ff48d5a2304367f5f2448a7201ea55b4..59820f8782a1184e01b31644f8680068ef284e83 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *     Retrieve the LSM-specific secid for the sock to enable caching of network
  *     authorizations.
  * @sock_graft:
- *     Sets the socket's isec sid to the sock's sid.
+ *     This hook is called in response to a newly created sock struct being
+ *     grafted onto an existing socket and allows the security module to
+ *     perform whatever security attribute management is necessary for both
+ *     the sock and socket.
  * @inet_conn_request:
  *     Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
  * @inet_csk_clone:

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 83d06db34d0358df289f8337b37f200d800b6c41..a1ac1c5c729b0818d43ea26e03e8c1ca6eb23afa 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
        struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
        struct sk_security_struct *sksec = sk->sk_security;
 
-       if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
-           sk->sk_family == PF_UNIX)
+       switch (sk->sk_family) {
+       case PF_INET:
+       case PF_INET6:
+       case PF_UNIX:
                isec->sid = sksec->sid;
+               break;
+       default:
+               /* by default there is no special labeling mechanism for the
+                * sksec label so inherit the label from the parent socket */
+               BUG_ON(sksec->sid != SECINITSID_UNLABELED);
+               sksec->sid = isec->sid;
+       }
        sksec->sclass = isec->sclass;
 }