1 files changed, 22 insertions, 11 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 64d414efb404..5df12072c8d5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3429,6 +3429,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
 /**
 * selinux_skb_extlbl_sid - Determine the external label of a packet
 * @skb: the packet
+ * @family: protocol family
 * @sid: the packet's SID
 *
 * Description:
@@ -3441,13 +3442,16 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
 * selinux_netlbl_skbuff_getsid().
 *
 */
-static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
+static void selinux_skb_extlbl_sid(struct sk_buff *skb,
+                                   u16 family,
+                                   u32 *sid)
 {
        u32 xfrm_sid;
        u32 nlbl_sid;
        selinux_skb_xfrm_sid(skb, &xfrm_sid);
        if (selinux_netlbl_skbuff_getsid(skb,
+                                         family,
                                         (xfrm_sid == SECSID_NULL ?
                                          SECINITSID_NETMSG : xfrm_sid),
                                         &nlbl_sid) != 0)
@@ -3940,7 +3944,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
        if (err)
                goto out;
-        err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
+        err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
        if (err)
                goto out;
@@ -3996,18 +4000,25 @@ out:
 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
 {
        u32 peer_secid = SECSID_NULL;
-        int err = 0;
+        u16 family;
-        if (sock && sock->sk->sk_family == PF_UNIX)
+        if (sock)
+                family = sock->sk->sk_family;
+        else if (skb && skb->sk)
+                family = skb->sk->sk_family;
+        else
+                goto out;
+        if (sock && family == PF_UNIX)
                selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
        else if (skb)
-                selinux_skb_extlbl_sid(skb, &peer_secid);
+                selinux_skb_extlbl_sid(skb, family, &peer_secid);
-        if (peer_secid == SECSID_NULL)
+out:
-                err = -EINVAL;
        *secid = peer_secid;
+        if (peer_secid == SECSID_NULL)
-        return err;
+                return -EINVAL;
+        return 0;
 }
 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
@@ -4062,7 +4073,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
        u32 newsid;
        u32 peersid;
-        selinux_skb_extlbl_sid(skb, &peersid);
+        selinux_skb_extlbl_sid(skb, sk->sk_family, &peersid);
        if (peersid == SECSID_NULL) {
                req->secid = sksec->sid;
                req->peer_secid = SECSID_NULL;
@@ -4100,7 +4111,7 @@ static void selinux_inet_conn_established(struct sock *sk,
 {
        struct sk_security_struct *sksec = sk->sk_security;
-        selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
+        selinux_skb_extlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
 }
 static void selinux_req_classify_flow(const struct request_sock *req,

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 64d414efb404..5df12072c8d5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -3429,6 +3429,7 @@ static int selinux_parse_skb(struct sk_buff skb, struct avc_audit_data ad,
3429	/**	3429	/**
3430	* selinux_skb_extlbl_sid - Determine the external label of a packet	3430	* selinux_skb_extlbl_sid - Determine the external label of a packet
3431	* @skb: the packet	3431	* @skb: the packet
		3432	* @family: protocol family
3432	* @sid: the packet's SID	3433	* @sid: the packet's SID
3433	*	3434	*
3434	* Description:	3435	* Description:
@@ -3441,13 +3442,16 @@ static int selinux_parse_skb(struct sk_buff skb, struct avc_audit_data ad,
3441	* selinux_netlbl_skbuff_getsid().	3442	* selinux_netlbl_skbuff_getsid().
3442	*	3443	*
3443	*/	3444	*/
3444	static void selinux_skb_extlbl_sid(struct sk_buff skb, u32 sid)	3445	static void selinux_skb_extlbl_sid(struct sk_buff *skb,
		3446	u16 family,
		3447	u32 *sid)
3445	{	3448	{
3446	u32 xfrm_sid;	3449	u32 xfrm_sid;
3447	u32 nlbl_sid;	3450	u32 nlbl_sid;
3448		3451
3449	selinux_skb_xfrm_sid(skb, &xfrm_sid);	3452	selinux_skb_xfrm_sid(skb, &xfrm_sid);
3450	if (selinux_netlbl_skbuff_getsid(skb,	3453	if (selinux_netlbl_skbuff_getsid(skb,
		3454	family,
3451	(xfrm_sid == SECSID_NULL ?	3455	(xfrm_sid == SECSID_NULL ?
3452	SECINITSID_NETMSG : xfrm_sid),	3456	SECINITSID_NETMSG : xfrm_sid),
3453	&nlbl_sid) != 0)	3457	&nlbl_sid) != 0)
@@ -3940,7 +3944,7 @@ static int selinux_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)
3940	if (err)	3944	if (err)
3941	goto out;	3945	goto out;
3942		3946
3943	err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);	3947	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
3944	if (err)	3948	if (err)
3945	goto out;	3949	goto out;
3946		3950
@@ -3996,18 +4000,25 @@ out:
3996	static int selinux_socket_getpeersec_dgram(struct socket sock, struct sk_buff skb, u32 *secid)	4000	static int selinux_socket_getpeersec_dgram(struct socket sock, struct sk_buff skb, u32 *secid)
3997	{	4001	{
3998	u32 peer_secid = SECSID_NULL;	4002	u32 peer_secid = SECSID_NULL;
3999	int err = 0;	4003	u16 family;
4000		4004
4001	if (sock && sock->sk->sk_family == PF_UNIX)	4005	if (sock)
		4006	family = sock->sk->sk_family;
		4007	else if (skb && skb->sk)
		4008	family = skb->sk->sk_family;
		4009	else
		4010	goto out;
		4011
		4012	if (sock && family == PF_UNIX)
4002	selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);	4013	selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4003	else if (skb)	4014	else if (skb)
4004	selinux_skb_extlbl_sid(skb, &peer_secid);	4015	selinux_skb_extlbl_sid(skb, family, &peer_secid);
4005		4016
4006	if (peer_secid == SECSID_NULL)	4017	out:
4007	err = -EINVAL;
4008	*secid = peer_secid;	4018	*secid = peer_secid;
4009		4019	if (peer_secid == SECSID_NULL)
4010	return err;	4020	return -EINVAL;
		4021	return 0;
4011	}	4022	}
4012		4023
4013	static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)	4024	static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
@@ -4062,7 +4073,7 @@ static int selinux_inet_conn_request(struct sock sk, struct sk_buff skb,
4062	u32 newsid;	4073	u32 newsid;
4063	u32 peersid;	4074	u32 peersid;
4064		4075
4065	selinux_skb_extlbl_sid(skb, &peersid);	4076	selinux_skb_extlbl_sid(skb, sk->sk_family, &peersid);
4066	if (peersid == SECSID_NULL) {	4077	if (peersid == SECSID_NULL) {
4067	req->secid = sksec->sid;	4078	req->secid = sksec->sid;
4068	req->peer_secid = SECSID_NULL;	4079	req->peer_secid = SECSID_NULL;
@@ -4100,7 +4111,7 @@ static void selinux_inet_conn_established(struct sock *sk,
4100	{	4111	{
4101	struct sk_security_struct *sksec = sk->sk_security;	4112	struct sk_security_struct *sksec = sk->sk_security;
4102		4113
4103	selinux_skb_extlbl_sid(skb, &sksec->peer_sid);	4114	selinux_skb_extlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4104	}	4115	}
4105		4116
4106	static void selinux_req_classify_flow(const struct request_sock *req,	4117	static void selinux_req_classify_flow(const struct request_sock *req,