Commit bfa523d1 authored by James Morris's avatar James Morris Committed by David S. Miller

[AF_UNIX]: Fix SELinux crashes with SOCK_SEQPACKET

1) Don't call security_unix_may_send() hook during sendmsg() for 
SOCK_SEQPACKET, and ensure that sendmsg() can only be called on a 
connected socket so as not to bypass the security_unix_stream_connect() 
hook.

2) Return -EINVAL if sendto() is called on SOCK_SEQPACKET with an address 
supplied.
Signed-off-by: default avatarJames Morris <jmorris@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 0cfbca35
...@@ -466,6 +466,8 @@ static int unix_dgram_recvmsg(struct kiocb *, struct socket *, ...@@ -466,6 +466,8 @@ static int unix_dgram_recvmsg(struct kiocb *, struct socket *,
struct msghdr *, size_t, int); struct msghdr *, size_t, int);
static int unix_dgram_connect(struct socket *, struct sockaddr *, static int unix_dgram_connect(struct socket *, struct sockaddr *,
int, int); int, int);
static int unix_seqpacket_sendmsg(struct kiocb *, struct socket *,
struct msghdr *, size_t);
static struct proto_ops unix_stream_ops = { static struct proto_ops unix_stream_ops = {
.family = PF_UNIX, .family = PF_UNIX,
...@@ -524,7 +526,7 @@ static struct proto_ops unix_seqpacket_ops = { ...@@ -524,7 +526,7 @@ static struct proto_ops unix_seqpacket_ops = {
.shutdown = unix_shutdown, .shutdown = unix_shutdown,
.setsockopt = sock_no_setsockopt, .setsockopt = sock_no_setsockopt,
.getsockopt = sock_no_getsockopt, .getsockopt = sock_no_getsockopt,
.sendmsg = unix_dgram_sendmsg, .sendmsg = unix_seqpacket_sendmsg,
.recvmsg = unix_dgram_recvmsg, .recvmsg = unix_dgram_recvmsg,
.mmap = sock_no_mmap, .mmap = sock_no_mmap,
.sendpage = sock_no_sendpage, .sendpage = sock_no_sendpage,
...@@ -1354,9 +1356,11 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock, ...@@ -1354,9 +1356,11 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
if (other->sk_shutdown & RCV_SHUTDOWN) if (other->sk_shutdown & RCV_SHUTDOWN)
goto out_unlock; goto out_unlock;
err = security_unix_may_send(sk->sk_socket, other->sk_socket); if (sk->sk_type != SOCK_SEQPACKET) {
if (err) err = security_unix_may_send(sk->sk_socket, other->sk_socket);
goto out_unlock; if (err)
goto out_unlock;
}
if (unix_peer(other) != sk && if (unix_peer(other) != sk &&
(skb_queue_len(&other->sk_receive_queue) > (skb_queue_len(&other->sk_receive_queue) >
...@@ -1506,6 +1510,20 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock, ...@@ -1506,6 +1510,20 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
return sent ? : err; return sent ? : err;
} }
static int unix_seqpacket_sendmsg(struct kiocb *kiocb, struct socket *sock,
struct msghdr *msg, size_t len)
{
struct sock *sk = sock->sk;
if (sk->sk_state != TCP_ESTABLISHED)
return -ENOTCONN;
if (msg->msg_name || msg->msg_namelen)
return -EINVAL;
return unix_dgram_sendmsg(kiocb, sock, msg, len);
}
static void unix_copy_addr(struct msghdr *msg, struct sock *sk) static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
{ {
struct unix_sock *u = unix_sk(sk); struct unix_sock *u = unix_sk(sk);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment