diff options
| author | Paul Moore <[email protected]> | 2013-12-03 11:14:04 -0500 |
|---|---|---|
| committer | Paul Moore <[email protected]> | 2013-12-04 16:06:47 -0500 |
| commit | da2ea0d05671f878196cc949906aa89d15c567db (patch) | |
| tree | a9067db90c8d2da60f1a38ba649f793a09620f8d /tools/perf/scripts/python/event_analyzing_sample.py | |
| parent | 8e645c345a4cf6b8b13054b4ec2f6371f05876a9 (diff) | |
selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output()
In selinux_ip_output() we always label packets based on the parent
socket. While this approach works in almost all cases, it doesn't
work in the case of TCP SYN-ACK packets when the correct label is not
the label of the parent socket, but rather the label of the larval
socket represented by the request_sock struct.
Unfortunately, since the request_sock isn't queued on the parent
socket until *after* the SYN-ACK packet is sent, we can't lookup the
request_sock to determine the correct label for the packet; at this
point in time the best we can do is simply pass/NF_ACCEPT the packet.
It must be said that simply passing the packet without any explicit
labeling action, while far from ideal, is not terrible as the SYN-ACK
packet will inherit any IP option based labeling from the initial
connection request so the label *should* be correct and all our
access controls remain in place so we shouldn't have to worry about
information leaks.
Reported-by: Janak Desai <[email protected]>
Tested-by: Janak Desai <[email protected]>
Cc: [email protected]
Signed-off-by: Paul Moore <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python/event_analyzing_sample.py')
0 files changed, 0 insertions, 0 deletions