)]}'
{
  "commit": "446b802437f285de68ffb8d6fac3c44c3cab5b04",
  "tree": "2123c25875f8ad75114592e4755d21429765a6c0",
  "parents": [
    "47180068276a04ed31d24fe04c673138208b07a9"
  ],
  "author": {
    "name": "Paul Moore",
    "email": "pmoore@redhat.com",
    "time": "Wed Dec 04 16:10:51 2013 -0500"
  },
  "committer": {
    "name": "Paul Moore",
    "email": "pmoore@redhat.com",
    "time": "Thu Dec 12 17:21:31 2013 -0500"
  },
  "message": "selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()\n\nIn selinux_ip_postroute() we perform access checks based on the\npacket\u0027s security label.  For locally generated traffic we get the\npacket\u0027s security label from the associated socket; this works in all\ncases except for TCP SYN-ACK packets.  In the case of SYN-ACK packet\u0027s\nthe correct security label is stored in the connection\u0027s request_sock,\nnot the server\u0027s socket.  Unfortunately, at the point in time when\nselinux_ip_postroute() is called we can\u0027t query the request_sock\ndirectly, we need to recreate the label using the same logic that\noriginally labeled the associated request_sock.\n\nSee the inline comments for more explanation.\n\nReported-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nTested-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "877bab748c8794b5c89391cc3f16c922cdf2a600",
      "old_mode": 33188,
      "old_path": "security/selinux/hooks.c",
      "new_id": "cc076a9b0344bf7f6779dcea0371b103f07945aa",
      "new_mode": 33188,
      "new_path": "security/selinux/hooks.c"
    }
  ]
}