diff options
author | Steffen Klassert <steffen.klassert@secunet.com> | 2011-02-23 06:55:21 -0500 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2011-02-25 15:00:47 -0500 |
commit | b9679a76187694138099e09d7f5091b73086e6d7 (patch) | |
tree | 224bfa579013b55ed6c459879ba0aab6d28e8ae2 | |
parent | 8f82a6880d8d03961181d973388e1df2772a8b24 (diff) |
selinux: Fix wrong checks for selinux_policycap_netpeer
selinux_sock_rcv_skb_compat and selinux_ip_postroute_compat are just
called if selinux_policycap_netpeer is not set. However in these
functions we check if selinux_policycap_netpeer is set. This leads
to some dead code and to the fact that selinux_xfrm_postroute_last
is never executed. This patch removes the dead code and the checks
for selinux_policycap_netpeer in the compatibility functions.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
-rw-r--r-- | security/selinux/hooks.c | 24 |
1 files changed, 6 insertions, 18 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c8b359fc2949..b4e1ca021fc4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -3915,7 +3915,6 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | |||
3915 | { | 3915 | { |
3916 | int err = 0; | 3916 | int err = 0; |
3917 | struct sk_security_struct *sksec = sk->sk_security; | 3917 | struct sk_security_struct *sksec = sk->sk_security; |
3918 | u32 peer_sid; | ||
3919 | u32 sk_sid = sksec->sid; | 3918 | u32 sk_sid = sksec->sid; |
3920 | struct common_audit_data ad; | 3919 | struct common_audit_data ad; |
3921 | char *addrp; | 3920 | char *addrp; |
@@ -3934,20 +3933,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | |||
3934 | return err; | 3933 | return err; |
3935 | } | 3934 | } |
3936 | 3935 | ||
3937 | if (selinux_policycap_netpeer) { | 3936 | err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); |
3938 | err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); | 3937 | if (err) |
3939 | if (err) | 3938 | return err; |
3940 | return err; | 3939 | err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); |
3941 | err = avc_has_perm(sk_sid, peer_sid, | ||
3942 | SECCLASS_PEER, PEER__RECV, &ad); | ||
3943 | if (err) | ||
3944 | selinux_netlbl_err(skb, err, 0); | ||
3945 | } else { | ||
3946 | err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); | ||
3947 | if (err) | ||
3948 | return err; | ||
3949 | err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); | ||
3950 | } | ||
3951 | 3940 | ||
3952 | return err; | 3941 | return err; |
3953 | } | 3942 | } |
@@ -4442,9 +4431,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
4442 | SECCLASS_PACKET, PACKET__SEND, &ad)) | 4431 | SECCLASS_PACKET, PACKET__SEND, &ad)) |
4443 | return NF_DROP_ERR(-ECONNREFUSED); | 4432 | return NF_DROP_ERR(-ECONNREFUSED); |
4444 | 4433 | ||
4445 | if (selinux_policycap_netpeer) | 4434 | if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) |
4446 | if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) | 4435 | return NF_DROP_ERR(-ECONNREFUSED); |
4447 | return NF_DROP_ERR(-ECONNREFUSED); | ||
4448 | 4436 | ||
4449 | return NF_ACCEPT; | 4437 | return NF_ACCEPT; |
4450 | } | 4438 | } |