aboutsummaryrefslogtreecommitdiff
path: root/lib/atomic64.c
diff options
context:
space:
mode:
authorPaul Moore <pmoore@redhat.com>2013-12-04 16:10:51 -0500
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-12-20 07:45:09 -0800
commit348d7867154c8d7b6f472cbe5918b1169dd13b0c (patch)
tree7e326e48368b2aa7e0edf226af00c78b2c5ee452 /lib/atomic64.c
parent216c4a776a12148e8386070da71b9f10ab854e93 (diff)
selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()
commit 446b802437f285de68ffb8d6fac3c44c3cab5b04 upstream. In selinux_ip_postroute() we perform access checks based on the packet's security label. For locally generated traffic we get the packet's security label from the associated socket; this works in all cases except for TCP SYN-ACK packets. In the case of SYN-ACK packet's the correct security label is stored in the connection's request_sock, not the server's socket. Unfortunately, at the point in time when selinux_ip_postroute() is called we can't query the request_sock directly, we need to recreate the label using the same logic that originally labeled the associated request_sock. See the inline comments for more explanation. Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Tested-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'lib/atomic64.c')
0 files changed, 0 insertions, 0 deletions