From: Paul Moore <pmoore@redhat.com>
Date: Wed, 4 Dec 2013 21:10:51 +0000 (-0500)
Subject: selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()
X-Git-Tag: v3.2.54~41
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=117bd60788c1cfd2281a62cbc0d32798725cfd23;p=pandora-kernel.git

selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()

commit 446b802437f285de68ffb8d6fac3c44c3cab5b04 upstream.

In selinux_ip_postroute() we perform access checks based on the
packet's security label.  For locally generated traffic we get the
packet's security label from the associated socket; this works in all
cases except for TCP SYN-ACK packets.  In the case of SYN-ACK packet's
the correct security label is stored in the connection's request_sock,
not the server's socket.  Unfortunately, at the point in time when
selinux_ip_postroute() is called we can't query the request_sock
directly, we need to recreate the label using the same logic that
originally labeled the associated request_sock.

See the inline comments for more explanation.

Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
Tested-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---

Reading git-diff-tree failed