diff options
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b3c064744d32..81bfcf114484 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -3443,6 +3443,11 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | |||
| 3443 | break; | 3443 | break; |
| 3444 | } | 3444 | } |
| 3445 | 3445 | ||
| 3446 | if (unlikely(ret)) | ||
| 3447 | printk(KERN_WARNING | ||
| 3448 | "SELinux: failure in selinux_parse_skb()," | ||
| 3449 | " unable to parse packet\n"); | ||
| 3450 | |||
| 3446 | return ret; | 3451 | return ret; |
| 3447 | } | 3452 | } |
| 3448 | 3453 | ||
| @@ -3463,6 +3468,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | |||
| 3463 | */ | 3468 | */ |
| 3464 | static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) | 3469 | static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) |
| 3465 | { | 3470 | { |
| 3471 | int err; | ||
| 3466 | u32 xfrm_sid; | 3472 | u32 xfrm_sid; |
| 3467 | u32 nlbl_sid; | 3473 | u32 nlbl_sid; |
| 3468 | u32 nlbl_type; | 3474 | u32 nlbl_type; |
| @@ -3470,10 +3476,13 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) | |||
| 3470 | selinux_skb_xfrm_sid(skb, &xfrm_sid); | 3476 | selinux_skb_xfrm_sid(skb, &xfrm_sid); |
| 3471 | selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); | 3477 | selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); |
| 3472 | 3478 | ||
| 3473 | if (security_net_peersid_resolve(nlbl_sid, nlbl_type, | 3479 | err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); |
| 3474 | xfrm_sid, | 3480 | if (unlikely(err)) { |
| 3475 | sid) != 0) | 3481 | printk(KERN_WARNING |
| 3482 | "SELinux: failure in selinux_skb_peerlbl_sid()," | ||
| 3483 | " unable to determine packet's peer label\n"); | ||
| 3476 | return -EACCES; | 3484 | return -EACCES; |
| 3485 | } | ||
| 3477 | 3486 | ||
| 3478 | return 0; | 3487 | return 0; |
| 3479 | } | 3488 | } |
| @@ -3925,8 +3934,13 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, | |||
| 3925 | err = security_port_sid(sk->sk_family, sk->sk_type, | 3934 | err = security_port_sid(sk->sk_family, sk->sk_type, |
| 3926 | sk->sk_protocol, ntohs(ad->u.net.sport), | 3935 | sk->sk_protocol, ntohs(ad->u.net.sport), |
| 3927 | &port_sid); | 3936 | &port_sid); |
| 3928 | if (err) | 3937 | if (unlikely(err)) { |
| 3938 | printk(KERN_WARNING | ||
| 3939 | "SELinux: failure in" | ||
| 3940 | " selinux_sock_rcv_skb_iptables_compat()," | ||
| 3941 | " network port label not found\n"); | ||
| 3929 | return err; | 3942 | return err; |
| 3943 | } | ||
| 3930 | return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); | 3944 | return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); |
| 3931 | } | 3945 | } |
| 3932 | 3946 | ||
| @@ -4343,8 +4357,13 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk, | |||
| 4343 | err = security_port_sid(sk->sk_family, sk->sk_type, | 4357 | err = security_port_sid(sk->sk_family, sk->sk_type, |
| 4344 | sk->sk_protocol, ntohs(ad->u.net.dport), | 4358 | sk->sk_protocol, ntohs(ad->u.net.dport), |
| 4345 | &port_sid); | 4359 | &port_sid); |
| 4346 | if (err) | 4360 | if (unlikely(err)) { |
| 4361 | printk(KERN_WARNING | ||
| 4362 | "SELinux: failure in" | ||
| 4363 | " selinux_ip_postroute_iptables_compat()," | ||
| 4364 | " network port label not found\n"); | ||
| 4347 | return err; | 4365 | return err; |
| 4366 | } | ||
| 4348 | return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); | 4367 | return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); |
| 4349 | } | 4368 | } |
| 4350 | 4369 | ||