From f8687afefcc821fc47c75775eec87731fe3de360 Mon Sep 17 00:00:00 2001
From: Paul Moore <paul.moore@hp.com>
Date: Mon, 30 Oct 2006 15:22:15 -0800
Subject: [NetLabel]: protect the CIPSOv4 socket option from setsockopt()

This patch makes two changes to protect applications from either removing or
tampering with the CIPSOv4 IP option on a socket.  The first is the requirement
that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option
on a socket; this prevents untrusted applications from setting their own
CIPSOv4 security attributes on the packets they send.  The second change is to
SELinux and it prevents applications from setting any IPv4 options when there
is an IPOPT_CIPSO option already present on the socket; this prevents
applications from removing CIPSOv4 security attributes from the packets they
send.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 security/selinux/hooks.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'security/selinux/hooks.c')

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e9969a2fc846..8ab5679a37a3 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3313,7 +3313,13 @@ static int selinux_socket_getpeername(struct socket *sock)
 
 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
 {
-	return socket_has_perm(current, sock, SOCKET__SETOPT);
+	int err;
+
+	err = socket_has_perm(current, sock, SOCKET__SETOPT);
+	if (err)
+		return err;
+
+	return selinux_netlbl_socket_setsockopt(sock, level, optname);
 }
 
 static int selinux_socket_getsockopt(struct socket *sock, int level,
-- 
cgit v1.2.2


From fc5d81e69d15c65ca20d9e5b4e242690e3e9c27d Mon Sep 17 00:00:00 2001
From: Akinobu Mita <akinobu.mita@gmail.com>
Date: Mon, 27 Nov 2006 15:16:48 +0900
Subject: selinux: fix dentry_open() error check

The return value of dentry_open() shoud be checked by IS_ERR().

Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: James Morris <jmorris@namei.org>
---
 security/selinux/hooks.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'security/selinux/hooks.c')

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8ab5679a37a3..28ee187ed224 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1754,7 +1754,8 @@ static inline void flush_unauthorized_files(struct files_struct * files)
 						get_file(devnull);
 					} else {
 						devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
-						if (!devnull) {
+						if (IS_ERR(devnull)) {
+							devnull = NULL;
 							put_unused_fd(fd);
 							fput(file);
 							continue;
-- 
cgit v1.2.2