Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1f440c99 authored by Huw Davies's avatar Huw Davies Committed by Paul Moore
Browse files

netlabel: Prevent setsockopt() from changing the hop-by-hop option. 



If a socket has a netlabel in place then don't let setsockopt() alter
the socket's IPv6 hop-by-hop option.  This is in the same spirit as
the existing check for IPv4.

Signed-off-by: default avatarHuw Davies <huw@codeweavers.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent ceba1832

security/selinux/netlabel.c

+16 −1
Original line number Diff line number Diff line
@@ -409,6 +409,21 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 
	return rc;

}



/**

 * selinux_netlbl_option - Is this a NetLabel option

 * @level: the socket level or protocol

 * @optname: the socket option name

 *

 * Description:

 * Returns true if @level and @optname refer to a NetLabel option.

 * Helper for selinux_netlbl_socket_setsockopt().

 */

static inline int selinux_netlbl_option(int level, int optname)

{

	return (level == IPPROTO_IP && optname == IP_OPTIONS) ||

		(level == IPPROTO_IPV6 && optname == IPV6_HOPOPTS);

}



/**

 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel

 * @sock: the socket
@@ -431,7 +446,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock, 
	struct sk_security_struct *sksec = sk->sk_security;

	struct netlbl_lsm_secattr secattr;



	if (level == IPPROTO_IP && optname == IP_OPTIONS &&

	if (selinux_netlbl_option(level, optname) &&

	    (sksec->nlbl_state == NLBL_LABELED ||

	     sksec->nlbl_state == NLBL_CONNLABELED)) {

		netlbl_secattr_init(&secattr);