Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next

This merge resolves conflicts with 75aec9df3a78 ("bridge: Remove br_nf_push_frag_xmit_sk") as part of Eric Biederman's effort to improve netns support in the network stack that reached upstream via David's net-next tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Conflicts: net/bridge/br_netfilter_hooks.c
author: Pablo Neira Ayuso <pablo@netfilter.org> 2015-10-17 08:11:08 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2015-10-17 08:28:03 -0400
commit: f0a0a978b66fea782a52b0a7075b3fa9ab27ad0a (patch)
tree: 52ecc0eafbac697c6afaa542efe324984484120c /security/selinux/hooks.c
parent: c8d71d08aa23679f56e7072358383442c6ede352 (diff)
parent: 4be3158abe1e02d24f82b34101e41d662fae2185 (diff)
1 files changed, 8 insertions, 4 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 659bb50f0232..26f4039d54b8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4898,7 +4898,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
        if (sk) {
                struct sk_security_struct *sksec;
-                if (sk->sk_state == TCP_LISTEN)
+                if (sk_listener(sk))
                        /* if the socket is the listening state then this
                         * packet is a SYN-ACK packet which means it needs to
                         * be labeled based on the connection/request_sock and
@@ -5005,7 +5005,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
         *       unfortunately, this means more work, but it is only once per
         *       connection. */
        if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
-            !(sk != NULL && sk->sk_state == TCP_LISTEN))
+            !(sk && sk_listener(sk)))
                return NF_ACCEPT;
 #endif
@@ -5022,7 +5022,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
                        secmark_perm = PACKET__SEND;
                        peer_sid = SECINITSID_KERNEL;
                }
-        } else if (sk->sk_state == TCP_LISTEN) {
+        } else if (sk_listener(sk)) {
                /* Locally generated packet but the associated socket is in the
                 * listening state which means this is a SYN-ACK packet.  In
                 * this particular case the correct security label is assigned
@@ -5033,7 +5033,11 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
                 * selinux_inet_conn_request().  See also selinux_ip_output()
                 * for similar problems. */
                u32 skb_sid;
-                struct sk_security_struct *sksec = sk->sk_security;
+                struct sk_security_struct *sksec;
+                if (sk->sk_state == TCP_NEW_SYN_RECV)
+                        sk = inet_reqsk(sk)->rsk_listener;
+                sksec = sk->sk_security;
                if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
                        return NF_DROP;
                /* At this point, if the returned skb peerlbl is SECSID_NULL
author	Pablo Neira Ayuso <pablo@netfilter.org>	2015-10-17 08:11:08 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2015-10-17 08:28:03 -0400
commit	f0a0a978b66fea782a52b0a7075b3fa9ab27ad0a (patch)
tree	52ecc0eafbac697c6afaa542efe324984484120c /security/selinux/hooks.c
parent	c8d71d08aa23679f56e7072358383442c6ede352 (diff)
parent	4be3158abe1e02d24f82b34101e41d662fae2185 (diff)