1 files changed, 22 insertions, 17 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0753b20e23fe..3c3fff33d1ce 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -47,7 +47,7 @@
 #include <linux/netfilter_ipv6.h>
 #include <linux/tty.h>
 #include <net/icmp.h>
-#include <net/ip.h>             /* for sysctl_local_port_range[] */
+#include <net/ip.h>             /* for local_port_range[] */
 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
 #include <asm/uaccess.h>
 #include <asm/ioctls.h>
@@ -3232,8 +3232,6 @@ static int selinux_socket_post_create(struct socket *sock, int family,
 /* Range of port numbers used to automatically bind.
   Need to determine whether we should perform a name_bind
   permission check between the socket and the port number. */
-#define ip_local_port_range_0 sysctl_local_port_range[0]
-#define ip_local_port_range_1 sysctl_local_port_range[1]
 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
 {
@@ -3276,20 +3274,27 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
                        addrp = (char *)&addr6->sin6_addr.s6_addr;
                }
-                if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
+                if (snum) {
-                           snum > ip_local_port_range_1)) {
+                        int low, high;
-                        err = security_port_sid(sk->sk_family, sk->sk_type,
-                                                sk->sk_protocol, snum, &sid);
+                        inet_get_local_port_range(&low, &high);
-                        if (err)
-                                goto out;
+                        if (snum < max(PROT_SOCK, low) || snum > high) {
-                        AVC_AUDIT_DATA_INIT(&ad,NET);
+                                err = security_port_sid(sk->sk_family,
-                        ad.u.net.sport = htons(snum);
+                                                        sk->sk_type,
-                        ad.u.net.family = family;
+                                                        sk->sk_protocol, snum,
-                        err = avc_has_perm(isec->sid, sid,
+                                                        &sid);
-                                           isec->sclass,
+                                if (err)
-                                           SOCKET__NAME_BIND, &ad);
+                                        goto out;
-                        if (err)
+                                AVC_AUDIT_DATA_INIT(&ad,NET);
-                                goto out;
+                                ad.u.net.sport = htons(snum);
+                                ad.u.net.family = family;
+                                err = avc_has_perm(isec->sid, sid,
+                                                   isec->sclass,
+                                                   SOCKET__NAME_BIND, &ad);
+                                if (err)
+                                        goto out;
+                        }
                }
                
                switch(isec->sclass) {

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0753b20e23fe..3c3fff33d1ce 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -47,7 +47,7 @@
47	#include <linux/netfilter_ipv6.h>	47	#include <linux/netfilter_ipv6.h>
48	#include <linux/tty.h>	48	#include <linux/tty.h>
49	#include <net/icmp.h>	49	#include <net/icmp.h>
50	#include <net/ip.h> /* for sysctl_local_port_range[] */	50	#include <net/ip.h> /* for local_port_range[] */
51	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */	51	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52	#include <asm/uaccess.h>	52	#include <asm/uaccess.h>
53	#include <asm/ioctls.h>	53	#include <asm/ioctls.h>
@@ -3232,8 +3232,6 @@ static int selinux_socket_post_create(struct socket *sock, int family,
3232	/* Range of port numbers used to automatically bind.	3232	/* Range of port numbers used to automatically bind.
3233	Need to determine whether we should perform a name_bind	3233	Need to determine whether we should perform a name_bind
3234	permission check between the socket and the port number. */	3234	permission check between the socket and the port number. */
3235	#define ip_local_port_range_0 sysctl_local_port_range[0]
3236	#define ip_local_port_range_1 sysctl_local_port_range[1]
3237		3235
3238	static int selinux_socket_bind(struct socket sock, struct sockaddr address, int addrlen)	3236	static int selinux_socket_bind(struct socket sock, struct sockaddr address, int addrlen)
3239	{	3237	{
@@ -3276,20 +3274,27 @@ static int selinux_socket_bind(struct socket sock, struct sockaddr address, in
3276	addrp = (char *)&addr6->sin6_addr.s6_addr;	3274	addrp = (char *)&addr6->sin6_addr.s6_addr;
3277	}	3275	}
3278		3276
3279	if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) \|\|	3277	if (snum) {
3280	snum > ip_local_port_range_1)) {	3278	int low, high;
3281	err = security_port_sid(sk->sk_family, sk->sk_type,	3279
3282	sk->sk_protocol, snum, &sid);	3280	inet_get_local_port_range(&low, &high);
3283	if (err)	3281
3284	goto out;	3282	if (snum < max(PROT_SOCK, low) \|\| snum > high) {
3285	AVC_AUDIT_DATA_INIT(&ad,NET);	3283	err = security_port_sid(sk->sk_family,
3286	ad.u.net.sport = htons(snum);	3284	sk->sk_type,
3287	ad.u.net.family = family;	3285	sk->sk_protocol, snum,
3288	err = avc_has_perm(isec->sid, sid,	3286	&sid);
3289	isec->sclass,	3287	if (err)
3290	SOCKET__NAME_BIND, &ad);	3288	goto out;
3291	if (err)	3289	AVC_AUDIT_DATA_INIT(&ad,NET);
3292	goto out;	3290	ad.u.net.sport = htons(snum);
		3291	ad.u.net.family = family;
		3292	err = avc_has_perm(isec->sid, sid,
		3293	isec->sclass,
		3294	SOCKET__NAME_BIND, &ad);
		3295	if (err)
		3296	goto out;
		3297	}
3293	}	3298	}
3294		3299
3295	switch(isec->sclass) {	3300	switch(isec->sclass) {