aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteffen Klassert <steffen.klassert@secunet.com>2011-02-23 06:55:21 -0500
committerEric Paris <eparis@redhat.com>2011-02-25 15:00:47 -0500
commitb9679a76187694138099e09d7f5091b73086e6d7 (patch)
tree224bfa579013b55ed6c459879ba0aab6d28e8ae2
parent8f82a6880d8d03961181d973388e1df2772a8b24 (diff)
selinux: Fix wrong checks for selinux_policycap_netpeer
selinux_sock_rcv_skb_compat and selinux_ip_postroute_compat are just called if selinux_policycap_netpeer is not set. However in these functions we check if selinux_policycap_netpeer is set. This leads to some dead code and to the fact that selinux_xfrm_postroute_last is never executed. This patch removes the dead code and the checks for selinux_policycap_netpeer in the compatibility functions. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Eric Paris <eparis@redhat.com>
-rw-r--r--security/selinux/hooks.c24
1 files changed, 6 insertions, 18 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c8b359fc2949..b4e1ca021fc4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3915,7 +3915,6 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3915{ 3915{
3916 int err = 0; 3916 int err = 0;
3917 struct sk_security_struct *sksec = sk->sk_security; 3917 struct sk_security_struct *sksec = sk->sk_security;
3918 u32 peer_sid;
3919 u32 sk_sid = sksec->sid; 3918 u32 sk_sid = sksec->sid;
3920 struct common_audit_data ad; 3919 struct common_audit_data ad;
3921 char *addrp; 3920 char *addrp;
@@ -3934,20 +3933,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3934 return err; 3933 return err;
3935 } 3934 }
3936 3935
3937 if (selinux_policycap_netpeer) { 3936 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
3938 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 3937 if (err)
3939 if (err) 3938 return err;
3940 return err; 3939 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
3941 err = avc_has_perm(sk_sid, peer_sid,
3942 SECCLASS_PEER, PEER__RECV, &ad);
3943 if (err)
3944 selinux_netlbl_err(skb, err, 0);
3945 } else {
3946 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
3947 if (err)
3948 return err;
3949 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
3950 }
3951 3940
3952 return err; 3941 return err;
3953} 3942}
@@ -4442,9 +4431,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4442 SECCLASS_PACKET, PACKET__SEND, &ad)) 4431 SECCLASS_PACKET, PACKET__SEND, &ad))
4443 return NF_DROP_ERR(-ECONNREFUSED); 4432 return NF_DROP_ERR(-ECONNREFUSED);
4444 4433
4445 if (selinux_policycap_netpeer) 4434 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4446 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 4435 return NF_DROP_ERR(-ECONNREFUSED);
4447 return NF_DROP_ERR(-ECONNREFUSED);
4448 4436
4449 return NF_ACCEPT; 4437 return NF_ACCEPT;
4450} 4438}