Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b9679a76 authored by Steffen Klassert's avatar Steffen Klassert Committed by Eric Paris
Browse files

selinux: Fix wrong checks for selinux_policycap_netpeer 



selinux_sock_rcv_skb_compat and selinux_ip_postroute_compat are just
called if selinux_policycap_netpeer is not set. However in these
functions we check if selinux_policycap_netpeer is set. This leads
to some dead code and to the fact that selinux_xfrm_postroute_last
is never executed. This patch removes the dead code and the checks
for selinux_policycap_netpeer in the compatibility functions.

Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
Acked-by: default avatarPaul Moore <paul.moore@hp.com>
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 8f82a688

security/selinux/hooks.c

+6 −18
Original line number Diff line number Diff line
@@ -3915,7 +3915,6 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 
{

	int err = 0;

	struct sk_security_struct *sksec = sk->sk_security;

	u32 peer_sid;

	u32 sk_sid = sksec->sid;

	struct common_audit_data ad;

	char *addrp;
@@ -3934,20 +3933,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 
			return err;

	}



	if (selinux_policycap_netpeer) {

		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);

		if (err)

			return err;

		err = avc_has_perm(sk_sid, peer_sid,

				   SECCLASS_PEER, PEER__RECV, &ad);

		if (err)

			selinux_netlbl_err(skb, err, 0);

	} else {

	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);

	if (err)

		return err;

	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);

	}



	return err;

}
@@ -4442,7 +4431,6 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 
				 SECCLASS_PACKET, PACKET__SEND, &ad))

			return NF_DROP_ERR(-ECONNREFUSED);



	if (selinux_policycap_netpeer)

	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))

		return NF_DROP_ERR(-ECONNREFUSED);