[PATCH v2] smack: unix sockets: fix accept()ed socket label

Casey Schaufler casey at schaufler-ca.com
Thu Jun 20 17:42:16 UTC 2024


On 6/16/2024 3:44 PM, Konstantin Andreev wrote:
> When a process accept()s connection from a unix socket
> (either stream or seqpacket)
> it gets the socket with the label of the connecting process.
>
> For example, if a connecting process has a label 'foo',
> the accept()ed socket will also have 'in' and 'out' labels 'foo',
> regardless of the label of the listener process.
>
> This is because kernel creates unix child sockets
> in the context of the connecting process.
>
> I do not see any obvious way for the listener to abuse
> alien labels coming with the new socket, but,
> to be on the safe side, it's better fix new socket labels.
>
> Signed-off-by: Konstantin Andreev <andreev at swemel.ru>

Thanks. I have taken this in Smack next.

> ---
> v2: fixed comment style
> The patch is against `next' branch at https://github.com/cschaufler/smack-next
> The patch does not hurt `Smack kernel test suite' https://github.com/smack-team/smack-testsuite.git
>
>  security/smack/smack_lsm.c | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 56e02cc5c44d..d0d484c1599a 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -3846,12 +3846,18 @@ static int smack_unix_stream_connect(struct sock *sock,
>  		}
>  	}
>  
> -	/*
> -	 * Cross reference the peer labels for SO_PEERSEC.
> -	 */
>  	if (rc == 0) {
> +		/*
> +		 * Cross reference the peer labels for SO_PEERSEC.
> +		 */
>  		nsp->smk_packet = ssp->smk_out;
>  		ssp->smk_packet = osp->smk_out;
> +
> +		/*
> +		 * new/child/established socket must inherit listening socket labels
> +		 */
> +		nsp->smk_out = osp->smk_out;
> +		nsp->smk_in  = osp->smk_in;
>  	}
>  
>  	return rc;



More information about the Linux-security-module-archive mailing list