selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()
authorPaul Moore <pmoore@redhat.com>
Tue, 3 Dec 2013 16:16:36 +0000 (11:16 -0500)
committerPaul Moore <pmoore@redhat.com>
Wed, 4 Dec 2013 21:07:28 +0000 (16:07 -0500)
commit7f721643db3b2da53e1b91aaa4e8cb7706bfdd10
tree2265959ac11a9e6acce19ae68bb4b837af186fb5
parentda2ea0d05671f878196cc949906aa89d15c567db
selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()

In selinux_ip_postroute() we perform access checks based on the
packet's security label.  For locally generated traffic we get the
packet's security label from the associated socket; this works in all
cases except for TCP SYN-ACK packets.  In the case of SYN-ACK packet's
the correct security label is stored in the connection's request_sock,
not the server's socket.  Unfortunately, at the point in time when
selinux_ip_postroute() is called we can't query the request_sock
directly, we need to recreate the label using the same logic that
originally labeled the associated request_sock.

See the inline comments for more explanation.

Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
Tested-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore <pmoore@redhat.com>
security/selinux/hooks.c