| From 46d01d63221c3508421dd72ff9c879f61053cffc Mon Sep 17 00:00:00 2001 |
| From: Chad Hanson <chanson@trustedcs.com> |
| Date: Mon, 23 Dec 2013 17:45:01 -0500 |
| Subject: selinux: fix broken peer recv check |
| |
| From: Chad Hanson <chanson@trustedcs.com> |
| |
| commit 46d01d63221c3508421dd72ff9c879f61053cffc upstream. |
| |
| Fix a broken networking check. Return an error if peer recv fails. If |
| secmark is active and the packet recv succeeds the peer recv error is |
| ignored. |
| |
| Signed-off-by: Chad Hanson <chanson@trustedcs.com> |
| Signed-off-by: Paul Moore <pmoore@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| security/selinux/hooks.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/security/selinux/hooks.c |
| +++ b/security/selinux/hooks.c |
| @@ -4240,8 +4240,10 @@ static int selinux_socket_sock_rcv_skb(s |
| } |
| err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, |
| PEER__RECV, &ad); |
| - if (err) |
| + if (err) { |
| selinux_netlbl_err(skb, err, 0); |
| + return err; |
| + } |
| } |
| |
| if (secmark_active) { |
