[PATCH] security: fix the logic in security_inode_getsecctx()
Paul Moore
paul at paul-moore.com
Tue Jan 30 16:31:23 UTC 2024
On Tue, Jan 30, 2024 at 10:44 AM Stephen Smalley
<stephen.smalley.work at gmail.com> wrote:
> On Mon, Jan 29, 2024 at 4:56 PM Paul Moore <paul at paul-moore.com> wrote:
> >
> > On Mon, Jan 29, 2024 at 2:49 PM Stephen Smalley
> > <stephen.smalley.work at gmail.com> wrote:
> > > unix_socket test is failing because type_transition rule is not being
> > > applied to newly created server socket, leading to a denial when the
> > > client tries to connect. I believe that once worked; will see if I can
> > > find the last working kernel.
> >
> > If we had a socket type transition on new connections I think it would
> > have been a *long* time ago. I don't recall us supporting that, but
> > it's possible I've simply forgotten.
> >
> > That isn't to say I wouldn't support something like that, it could be
> > interesting, but we would want to make sure it applies to all
> > connection based sockets and not just AF_UNIX. Although for the vast
> > majority of users it would probably only be useful for AF_UNIX as you
> > would need a valid peer label to do a meaningful transition.
>
> Sorry, I probably wasn't clear. I mean that the Unix socket files are
> NOT being labeled in accordance with the type_transition rules in
> policy. Which does work on local file systems and used to work on NFS,
> so this is a regression at some point (but not new to Ondrej's patch).
Ah, gotcha.
I guess I'm not too surprised, the sock/socket/inode labeling and
duplication has always been very awkward and it wouldn't surprise me
if we inadvertently broke something over the years. Tracking down the
source of the breakage is good, but if that is taking too long (I can
only imagine how long that might take), I would be happy with a fix
with a number of comment additions warning future devs against
changing the relevant code.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list