kernel_samsung_a53x/security
Konstantin Andreev 7ee4e0095c smack: unix sockets: fix accept()ed socket label
[ Upstream commit e86cac0acdb1a74f608bacefe702f2034133a047 ]

When a process accept()s connection from a unix socket
(either stream or seqpacket)
it gets the socket with the label of the connecting process.

For example, if a connecting process has a label 'foo',
the accept()ed socket will also have 'in' and 'out' labels 'foo',
regardless of the label of the listener process.

This is because kernel creates unix child sockets
in the context of the connecting process.

I do not see any obvious way for the listener to abuse
alien labels coming with the new socket, but,
to be on the safe side, it's better fix new socket labels.

Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-01-19 14:48:42 +01:00
..
apparmor apparmor: test: Fix memory leak for aa_unpack_strdup() 2024-12-17 13:24:18 +01:00
bpf Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
integrity ima: Avoid blocking in RCU read-side critical section 2024-11-19 14:19:42 +01:00
keys security/keys: fix slab-out-of-bounds in key_task_permission 2024-11-30 02:33:21 +01:00
loadpin Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
lockdown Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
safesetid Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
samsung security: samsung: defex_lsm: nuke 2024-06-15 16:20:49 -03:00
sdp Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
selinux selinux: ignore unknown extended permissions 2025-01-15 16:29:52 +01:00
smack smack: unix sockets: fix accept()ed socket label 2025-01-19 14:48:42 +01:00
tomoyo Revert "tomoyo: fallback to realpath if symlink's pathname does not exist" 2024-11-24 00:23:01 +01:00
yama Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
commoncap.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
device_cgroup.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
inode.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Kconfig Revert "proc: add config & param to block forcing mem writes" 2024-11-24 00:23:07 +01:00
Kconfig.hardening mm: add support for verifying page sanitization 2024-11-30 02:17:18 +01:00
lsm_audit.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Makefile selinux: Remove audit dependency 2024-11-19 17:53:57 +01:00
min_addr.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
security.c ima: Avoid blocking in RCU read-side critical section 2024-11-19 14:19:42 +01:00