Thanks you Tai
On 2/20/14, 12:19 PM, "Stephen Smalley" <[email protected]> wrote: >On 02/20/2014 10:47 AM, Stephen Smalley wrote: >> On 02/20/2014 10:38 AM, Tai Nguyen (tainguye) wrote: >>> Our BT folks said net/bluetooth create child sockets for each >>>protocol, which do not call security API, thus, the child socket >>>doesn¹t have label. >>> They suggested the following change for l2cap_sock.c >>> >>> void l2cap_sock_init(struct sock *sk, struct sock *parent) >>> { >>> struct l2cap_pinfo *pi = l2cap_pi(sk); >>> >>> BT_DBG("sk %p parent %p", sk, parent); >>> >>> if (parent) { >>> sk->sk_type = parent->sk_type; >>> sk->sk_rcvbuf = parent->sk_rcvbuf; >>> sk->sk_sndbuf = parent->sk_sndbuf; >>> bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup; >>> >>> pi->imtu = l2cap_pi(parent)->imtu; >>> pi->omtu = l2cap_pi(parent)->omtu; >>> pi->conf_state = l2cap_pi(parent)->conf_state; >>> pi->mode = l2cap_pi(parent)->mode; >>> pi->fcs = l2cap_pi(parent)->fcs; >>> pi->max_tx = l2cap_pi(parent)->max_tx; >>> pi->tx_win = l2cap_pi(parent)->tx_win; >>> pi->sec_level = l2cap_pi(parent)->sec_level; >>> pi->role_switch = l2cap_pi(parent)->role_switch; >>> pi->force_reliable = l2cap_pi(parent)->force_reliable; >>> pi->flushable = l2cap_pi(parent)->flushable; >>> pi->force_active = l2cap_pi(parent)->force_active; >>> pi->amp_pref = l2cap_pi(parent)->amp_pref; >>> security_sk_clone(parent, sk); // <<< Cloning the context from the >>>parent >>> } >>> >>> Similar changes also needed for rfcomm/sock.c in function >>>rfcomm_sock_init(sk, parent). >>> >>> After applying the patch, I don¹t see the unlabeled socket audit >>>messages anymore. However, I don¹t see the same code in the msm kernel >>>in branch 4.4.2. >>> Thus, I want to check if the msm kernel also has the same issue or the >>>msm kernel fix the problem differently. >> >> Possibly we don't encounter this because Android is not using blueZ >>anymore. >> >> What you describe sounds like a gap in the mainline kernel; will take it >> up with upstream. > >This was fixed by the following commit, which is included in our 3.4 >kernel trees. > >commit 6230c9b4f8957c8938ee4cf2d03166d3c2dc89de >Author: Paul Moore <[email protected]> >Date: Fri Oct 7 09:40:59 2011 +0000 > > bluetooth: Properly clone LSM attributes to newly created child > connections > > The Bluetooth stack has internal connection handlers for all of the > various Bluetooth protocols, and unfortunately, they are currently > lacking the LSM hooks found in the core network stack's connection > handlers. I say unfortunately, because this can cause problems for > users who have have an LSM enabled and are using certain Bluetooth > devices. See one problem report below: > > * http://bugzilla.redhat.com/show_bug.cgi?id=741703 > > In order to keep things simple at this point in time, this patch >fixes the > problem by cloning the parent socket's LSM attributes to the newly >created > child socket. If we decide we need a more elaborate LSM marking >mechanism > for Bluetooth (I somewhat doubt this) we can always revisit this >decision > in the future. > > Reported-by: James M. Cape <[email protected]> > Signed-off-by: Paul Moore <[email protected]> > Acked-by: James Morris <[email protected]> > Signed-off-by: David S. Miller <[email protected]> > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
