[PATCH] smack: unix sockets: fix accept()ed socket label
Casey Schaufler
casey at schaufler-ca.com
Sun Jun 16 17:54:44 UTC 2024
On 6/16/2024 7:27 AM, Konstantin Andreev wrote:
> When a process accept()s connection from a unix socket
> (either stream or seqpacket)
> it gets the socket with the label of the connecting process.
>
> For example, if a connecting process has a label 'foo',
> the accept()ed socket will also have 'in' and 'out' labels 'foo',
> regardless of the label of the listener process.
>
> This is because kernel creates unix child sockets
> in the context of the connecting process.
>
> I do not see any obvious way for the listener to abuse
> alien labels coming with the new socket, but,
> to be on the safe side, it's better fix new socket labels.
>
> Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
> ---
> The patch is against `next' branch at https://github.com/cschaufler/smack-next
> The patch does not hurt `Smack kernel test suite' https://github.com/smack-team/smack-testsuite.git
>
> security/smack/smack_lsm.c | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 56e02cc5c44d..0843bc519ed9 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -3846,12 +3846,17 @@ static int smack_unix_stream_connect(struct sock *sock,
> }
> }
>
> - /*
> - * Cross reference the peer labels for SO_PEERSEC.
> - */
> if (rc == 0) {
> + /*
> + * Cross reference the peer labels for SO_PEERSEC.
> + */
> nsp->smk_packet = ssp->smk_out;
> ssp->smk_packet = osp->smk_out;
> +
> + /* new/child/established socket must inherit listening socket labels */
Please use the multiple line comment style from above.
> +
> + nsp->smk_out = osp->smk_out;
> + nsp->smk_in = osp->smk_in;
> }
>
> return rc;
More information about the Linux-security-module-archive
mailing list