1 files changed, 13 insertions, 13 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 28832e68980..b6c378dd4f1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3641,32 +3641,32 @@ static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
 {
-        struct task_security_struct *tsec;
-        struct av_decision avd;
        int err;
        err = secondary_ops->netlink_send(sk, skb);
        if (err)
                return err;
-        tsec = current->security;
-        avd.allowed = 0;
-        avc_has_perm_noaudit(tsec->sid, tsec->sid,
-                                SECCLASS_CAPABILITY, ~0, &avd);
-        cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
        if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
                err = selinux_nlmsg_perm(sk, skb);
        return err;
 }
-static int selinux_netlink_recv(struct sk_buff *skb)
+static int selinux_netlink_recv(struct sk_buff *skb, int capability)
 {
-        if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
+        int err;
-                return -EPERM;
+        struct avc_audit_data ad;
-        return 0;
+        err = secondary_ops->netlink_recv(skb, capability);
+        if (err)
+                return err;
+        AVC_AUDIT_DATA_INIT(&ad, CAP);
+        ad.u.cap = capability;
+        return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
+                            SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
 }
 static int ipc_alloc_security(struct task_struct *task,

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 28832e68980..b6c378dd4f1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -3641,32 +3641,32 @@ static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3641		3641
3642	static int selinux_netlink_send(struct sock sk, struct sk_buff skb)	3642	static int selinux_netlink_send(struct sock sk, struct sk_buff skb)
3643	{	3643	{
3644	struct task_security_struct *tsec;
3645	struct av_decision avd;
3646	int err;	3644	int err;
3647		3645
3648	err = secondary_ops->netlink_send(sk, skb);	3646	err = secondary_ops->netlink_send(sk, skb);
3649	if (err)	3647	if (err)
3650	return err;	3648	return err;
3651		3649
3652	tsec = current->security;
3653
3654	avd.allowed = 0;
3655	avc_has_perm_noaudit(tsec->sid, tsec->sid,
3656	SECCLASS_CAPABILITY, ~0, &avd);
3657	cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3658
3659	if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)	3650	if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3660	err = selinux_nlmsg_perm(sk, skb);	3651	err = selinux_nlmsg_perm(sk, skb);
3661		3652
3662	return err;	3653	return err;
3663	}	3654	}
3664		3655
3665	static int selinux_netlink_recv(struct sk_buff *skb)	3656	static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3666	{	3657	{
3667	if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))	3658	int err;
3668	return -EPERM;	3659	struct avc_audit_data ad;
3669	return 0;	3660
		3661	err = secondary_ops->netlink_recv(skb, capability);
		3662	if (err)
		3663	return err;
		3664
		3665	AVC_AUDIT_DATA_INIT(&ad, CAP);
		3666	ad.u.cap = capability;
		3667
		3668	return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
		3669	SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3670	}	3670	}
3671		3671
3672	static int ipc_alloc_security(struct task_struct *task,	3672	static int ipc_alloc_security(struct task_struct *task,