Merge branch 'master' into next

2 files changed, 14 insertions, 38 deletions

diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index f58701a7b728..350794ab9b42 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -386,11 +386,12 @@ int selinux_netlbl_inode_permission(struct inode *inode, int mask)
         if (!S_ISSOCK(inode->i_mode) ||
             ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
                 return 0;
-
         sock = SOCKET_I(inode);
         sk = sock->sk;
+        if (sk == NULL)
+                return 0;
         sksec = sk->sk_security;
-        if (sksec->nlbl_state != NLBL_REQUIRE)
+        if (sksec == NULL || sksec->nlbl_state != NLBL_REQUIRE)
                 return 0;
 
         local_bh_disable();
@@ -490,8 +491,10 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
                 lock_sock(sk);
                 rc = netlbl_sock_getattr(sk, &secattr);
                 release_sock(sk);
-                if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
+                if (rc == 0)
                         rc = -EACCES;
+                else if (rc == -ENOMSG)
+                        rc = 0;
                 netlbl_secattr_destroy(&secattr);
         }
 
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 4f48da5b08cb..84b62b5e9e2c 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1496,58 +1496,31 @@ static int smack_socket_post_create(struct socket *sock, int family,
  * looks for host based access restrictions
  *
  * This version will only be appropriate for really small
- * sets of single label hosts. Because of the masking
- * it cannot shortcut out on the first match. There are
- * numerious ways to address the problem, but none of them
- * have been applied here.
+ * sets of single label hosts.
  *
  * Returns the label of the far end or NULL if it's not special.
  */
 static char *smack_host_label(struct sockaddr_in *sip)
 {
         struct smk_netlbladdr *snp;
-        char *bestlabel = NULL;
         struct in_addr *siap = &sip->sin_addr;
-        struct in_addr *liap;
-        struct in_addr *miap;
-        struct in_addr bestmask;
 
         if (siap->s_addr == 0)
                 return NULL;
 
-        bestmask.s_addr = 0;
-
         for (snp = smack_netlbladdrs; snp != NULL; snp = snp->smk_next) {
-                liap = &snp->smk_host.sin_addr;
-                miap = &snp->smk_mask;
-                /*
-                 * If the addresses match after applying the list entry mask
-                 * the entry matches the address. If it doesn't move along to
-                 * the next entry.
-                 */
-                if ((liap->s_addr & miap->s_addr) !=
-                    (siap->s_addr & miap->s_addr))
-                        continue;
                 /*
-                 * If the list entry mask identifies a single address
-                 * it can't get any more specific.
+                 * we break after finding the first match because
+                 * the list is sorted from longest to shortest mask
+                 * so we have found the most specific match
                  */
-                if (miap->s_addr == 0xffffffff)
+                if ((&snp->smk_host.sin_addr)->s_addr  ==
+                        (siap->s_addr & (&snp->smk_mask)->s_addr)) {
                         return snp->smk_label;
-                /*
-                 * If the list entry mask is less specific than the best
-                 * already found this entry is uninteresting.
-                 */
-                if ((miap->s_addr | bestmask.s_addr) == bestmask.s_addr)
-                        continue;
-                /*
-                 * This is better than any entry found so far.
-                 */
-                bestmask.s_addr = miap->s_addr;
-                bestlabel = snp->smk_label;
+                }
         }
 
-        return bestlabel;
+        return NULL;
 }
 
 /**