From patchwork Mon Mar 29 18:24:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Brazdil X-Patchwork-Id: 411251 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-26.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED9C0C433DB for ; Mon, 29 Mar 2021 18:25:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B322161982 for ; Mon, 29 Mar 2021 18:25:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229750AbhC2SZY (ORCPT ); Mon, 29 Mar 2021 14:25:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39984 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229911AbhC2SYy (ORCPT ); Mon, 29 Mar 2021 14:24:54 -0400 Received: from mail-wr1-x44a.google.com (mail-wr1-x44a.google.com [IPv6:2a00:1450:4864:20::44a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 00626C061762 for ; Mon, 29 Mar 2021 11:24:53 -0700 (PDT) Received: by mail-wr1-x44a.google.com with SMTP id h30so9136444wrh.10 for ; Mon, 29 Mar 2021 11:24:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=3A2HnuqDWt0hrB7HFwLWTRBVAD8LSqlp0bvnWL8yz+0=; b=cMewxXvoD8vVRO5FJwiSXf98qU9wJxxkCjjjuRDLLAhPJIR5U0k++ZkuluBA6bjM+T GnPGerIXfCSD8z3149hbhjGmtOA6hWmFz05yrCUrVFyNyD2nu5Syu7yKMRjAFzA3GnIX 0zYgC1c4sD2TKVaCSHreifwtmJTTIBKGrKXvqAvfCCFoKR7MBY5XWIWWoB1dwlR7EZ5o FOAWEc71zx51Dwg6i5jZgKpXE3fa44ouchuLD+AM7ZEqA/cZzYWoqMLNBAbSqaf7gr8e wnvxl+WNF+wCZyfYTZcr/vk6le/lzgC4EOW9aL9o/nPwXungC7d0qkfG3IcGlI+kVuTw eYcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=3A2HnuqDWt0hrB7HFwLWTRBVAD8LSqlp0bvnWL8yz+0=; b=IR9YlUvG4VBKeRE02OX6Qs+qdXBCa4WNo1HOeGf6tt2a/wFAsVu1p/Aa14oafdD9LU 8ESgDK9fbWkRJt7ni/QAaEKHULX3hcVuf6IAWutWThGnA1H9KkKKZ0BWQfZb5OfNXkYf k1+HNqNWX1OCIb+dPiwZ2UdTrzas85PEC8s2O6Anl7tvh1aSWuzB+zY4s6wXrdY689JE I/ZkSJRJur2AtMex+ARG+dV+BmYNvvpBrsGA9pt7BY/piiIZ8BB3OceC/i8V+8ukhkv2 v81KykW/ojdAxxSmWZUr2Csbd9iiOsLbjmxqzw2YvGy6eKyCG6kwxzvP5N/3Jok8AWQz BXOg== X-Gm-Message-State: AOAM530uGOq84G8bttD3BUH29lTPgcYj70QzGBHg4C80+YcKTgq7+xdT 4+68lPqc/YgCVlj+CYpnZh1CCtBkUbQ4EAwp4mI0if7Edtl7wJRDFOoWdYHpduPfD43+d7hT9CR LFJGMZZbjALXDo5pGLBgvA5njpsedWPG3KDJqUTM/irxxaOTNCKhG+N9xlUZ2J8gHUqQ= X-Google-Smtp-Source: ABdhPJxz4Z/L8D0g7pP+18CTmmEPETBH+DQrPIxvCzREEY6g+OeK5V0uc6jDB5nx3m7FlF1gSc/gjeiuMpE/vw== X-Received: from dbrazdil.c.googlers.com ([fda3:e722:ac3:10:28:9cb1:c0a8:7f9b]) (user=dbrazdil job=sendgmr) by 2002:adf:a519:: with SMTP id i25mr29852666wrb.250.1617042291844; Mon, 29 Mar 2021 11:24:51 -0700 (PDT) Date: Mon, 29 Mar 2021 18:24:43 +0000 Message-Id: <20210329182443.1960963-1-dbrazdil@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.31.0.291.g576ba9dcdaf-goog Subject: [PATCH pre-5.10] selinux: vsock: Set SID for socket returned by accept() From: David Brazdil To: stable@vger.kernel.org Cc: "David S . Miller" , Stefano Garzarella , Greg Kroah-Hartman , James Morris , Jorgen Hansen , Jeff Vander Stoep , David Brazdil , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org [Backport of commit 1f935e8e72ec28dddb2dc0650b3b6626a293d94b to all stable branches from 4.4 to 5.4, inclusive] For AF_VSOCK, accept() currently returns sockets that are unlabelled. Other socket families derive the child's SID from the SID of the parent and the SID of the incoming packet. This is typically done as the connected socket is placed in the queue that accept() removes from. Reuse the existing 'security_sk_clone' hook to copy the SID from the parent (server) socket to the child. There is no packet SID in this case. Cc: stable@vger.kernel.org Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") Signed-off-by: David Brazdil Signed-off-by: David S. Miller --- net/vmw_vsock/af_vsock.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index 5d323574d04f..c82e7b52ab1f 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -620,6 +620,7 @@ struct sock *__vsock_create(struct net *net, vsk->trusted = psk->trusted; vsk->owner = get_cred(psk->owner); vsk->connect_timeout = psk->connect_timeout; + security_sk_clone(parent, sk); } else { vsk->trusted = ns_capable_noaudit(&init_user_ns, CAP_NET_ADMIN); vsk->owner = get_current_cred();