1 files changed, 16 insertions, 1 deletions
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 5470f32eca54..2477a75f16e7 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -410,6 +410,21 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 }
 /**
+ * selinux_netlbl_option - Is this a NetLabel option
+ * @level: the socket level or protocol
+ * @optname: the socket option name
+ *
+ * Description:
+ * Returns true if @level and @optname refer to a NetLabel option.
+ * Helper for selinux_netlbl_socket_setsockopt().
+ */
+static inline int selinux_netlbl_option(int level, int optname)
+{
+        return (level == IPPROTO_IP && optname == IP_OPTIONS) ||
+                (level == IPPROTO_IPV6 && optname == IPV6_HOPOPTS);
+}
+/**
 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
 * @sock: the socket
 * @level: the socket level or protocol
@@ -431,7 +446,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
        struct sk_security_struct *sksec = sk->sk_security;
        struct netlbl_lsm_secattr secattr;
-        if (level == IPPROTO_IP && optname == IP_OPTIONS &&
+        if (selinux_netlbl_option(level, optname) &&
            (sksec->nlbl_state == NLBL_LABELED ||
             sksec->nlbl_state == NLBL_CONNLABELED)) {
                netlbl_secattr_init(&secattr);

diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 5470f32eca54..2477a75f16e7 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c
@@ -410,6 +410,21 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
410	}	410	}
411		411
412	/**	412	/**
		413	* selinux_netlbl_option - Is this a NetLabel option
		414	* @level: the socket level or protocol
		415	* @optname: the socket option name
		416	*
		417	* Description:
		418	* Returns true if @level and @optname refer to a NetLabel option.
		419	* Helper for selinux_netlbl_socket_setsockopt().
		420	*/
		421	static inline int selinux_netlbl_option(int level, int optname)
		422	{
		423	return (level == IPPROTO_IP && optname == IP_OPTIONS) \|\|
		424	(level == IPPROTO_IPV6 && optname == IPV6_HOPOPTS);
		425	}
		426
		427	/**
413	* selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel	428	* selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
414	* @sock: the socket	429	* @sock: the socket
415	* @level: the socket level or protocol	430	* @level: the socket level or protocol
@@ -431,7 +446,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
431	struct sk_security_struct *sksec = sk->sk_security;	446	struct sk_security_struct *sksec = sk->sk_security;
432	struct netlbl_lsm_secattr secattr;	447	struct netlbl_lsm_secattr secattr;
433		448
434	if (level == IPPROTO_IP && optname == IP_OPTIONS &&	449	if (selinux_netlbl_option(level, optname) &&
435	(sksec->nlbl_state == NLBL_LABELED \|\|	450	(sksec->nlbl_state == NLBL_LABELED \|\|
436	sksec->nlbl_state == NLBL_CONNLABELED)) {	451	sksec->nlbl_state == NLBL_CONNLABELED)) {
437	netlbl_secattr_init(&secattr);	452	netlbl_secattr_init(&secattr);