diff options
| author | Steffen Klassert <steffen.klassert@secunet.com> | 2011-02-23 06:55:21 -0500 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2011-02-25 15:00:47 -0500 |
| commit | b9679a76187694138099e09d7f5091b73086e6d7 (patch) | |
| tree | 224bfa579013b55ed6c459879ba0aab6d28e8ae2 /security | |
| parent | 8f82a6880d8d03961181d973388e1df2772a8b24 (diff) | |
selinux: Fix wrong checks for selinux_policycap_netpeer
selinux_sock_rcv_skb_compat and selinux_ip_postroute_compat are just
called if selinux_policycap_netpeer is not set. However in these
functions we check if selinux_policycap_netpeer is set. This leads
to some dead code and to the fact that selinux_xfrm_postroute_last
is never executed. This patch removes the dead code and the checks
for selinux_policycap_netpeer in the compatibility functions.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/hooks.c | 24 |
1 files changed, 6 insertions, 18 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c8b359fc2949..b4e1ca021fc4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -3915,7 +3915,6 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | |||
| 3915 | { | 3915 | { |
| 3916 | int err = 0; | 3916 | int err = 0; |
| 3917 | struct sk_security_struct *sksec = sk->sk_security; | 3917 | struct sk_security_struct *sksec = sk->sk_security; |
| 3918 | u32 peer_sid; | ||
| 3919 | u32 sk_sid = sksec->sid; | 3918 | u32 sk_sid = sksec->sid; |
| 3920 | struct common_audit_data ad; | 3919 | struct common_audit_data ad; |
| 3921 | char *addrp; | 3920 | char *addrp; |
| @@ -3934,20 +3933,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | |||
| 3934 | return err; | 3933 | return err; |
| 3935 | } | 3934 | } |
| 3936 | 3935 | ||
| 3937 | if (selinux_policycap_netpeer) { | 3936 | err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); |
| 3938 | err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); | 3937 | if (err) |
| 3939 | if (err) | 3938 | return err; |
| 3940 | return err; | 3939 | err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); |
| 3941 | err = avc_has_perm(sk_sid, peer_sid, | ||
| 3942 | SECCLASS_PEER, PEER__RECV, &ad); | ||
| 3943 | if (err) | ||
| 3944 | selinux_netlbl_err(skb, err, 0); | ||
| 3945 | } else { | ||
| 3946 | err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); | ||
| 3947 | if (err) | ||
| 3948 | return err; | ||
| 3949 | err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); | ||
| 3950 | } | ||
| 3951 | 3940 | ||
| 3952 | return err; | 3941 | return err; |
| 3953 | } | 3942 | } |
| @@ -4442,9 +4431,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
| 4442 | SECCLASS_PACKET, PACKET__SEND, &ad)) | 4431 | SECCLASS_PACKET, PACKET__SEND, &ad)) |
| 4443 | return NF_DROP_ERR(-ECONNREFUSED); | 4432 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4444 | 4433 | ||
| 4445 | if (selinux_policycap_netpeer) | 4434 | if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) |
| 4446 | if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) | 4435 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4447 | return NF_DROP_ERR(-ECONNREFUSED); | ||
| 4448 | 4436 | ||
| 4449 | return NF_ACCEPT; | 4437 | return NF_ACCEPT; |
| 4450 | } | 4438 | } |