selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind() (0f8db8cc) · Commits · e / devices / android_kernel_teracube_mt6765

security/selinux/hooks.c

+19 −10

Original line number	Diff line number	Diff line
		@@ -4568,6 +4568,7 @@ static int selinux_socket_post_create(struct socket *sock, int family,
		static int selinux_socket_bind(struct socket sock, struct sockaddr address, int addrlen)
		{
		struct sock *sk = sock->sk;
		struct sk_security_struct *sksec = sk->sk_security;
		u16 family;
		int err;

		@@ -4579,11 +4580,11 @@ static int selinux_socket_bind(struct socket sock, struct sockaddr address, in
		family = sk->sk_family;
		if (family == PF_INET \|\| family == PF_INET6) {
		char *addrp;
		struct sk_security_struct *sksec = sk->sk_security;
		struct common_audit_data ad;
		struct lsm_network_audit net = {0,};
		struct sockaddr_in *addr4 = NULL;
		struct sockaddr_in6 *addr6 = NULL;
		u16 family_sa = address->sa_family;
		unsigned short snum;
		u32 sid, node_perm;

		@@ -4593,11 +4594,20 @@ static int selinux_socket_bind(struct socket sock, struct sockaddr address, in
		* need to check address->sa_family as it is possible to have
		* sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
		*/
		switch (address->sa_family) {
		switch (family_sa) {
		case AF_UNSPEC:
		case AF_INET:
		if (addrlen < sizeof(struct sockaddr_in))
		return -EINVAL;
		addr4 = (struct sockaddr_in *)address;
		if (family_sa == AF_UNSPEC) {
		/* see __inet_bind(), we only want to allow
		* AF_UNSPEC if the address is INADDR_ANY
		*/
		if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
		goto err_af;
		family_sa = AF_INET;
		}
		snum = ntohs(addr4->sin_port);
		addrp = (char *)&addr4->sin_addr.s_addr;
		break;
		@@ -4609,13 +4619,7 @@ static int selinux_socket_bind(struct socket sock, struct sockaddr address, in
		addrp = (char *)&addr6->sin6_addr.s6_addr;
		break;
		default:
		/* Note that SCTP services expect -EINVAL, whereas
		* others expect -EAFNOSUPPORT.
		*/
		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
		return -EINVAL;
		else
		return -EAFNOSUPPORT;
		goto err_af;
		}

		if (snum) {
		@@ -4673,7 +4677,7 @@ static int selinux_socket_bind(struct socket sock, struct sockaddr address, in
		ad.u.net->sport = htons(snum);
		ad.u.net->family = family;

		if (address->sa_family == AF_INET)
		if (family_sa == AF_INET)
		ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
		else
		ad.u.net->v6info.saddr = addr6->sin6_addr;
		@@ -4686,6 +4690,11 @@ static int selinux_socket_bind(struct socket sock, struct sockaddr address, in
		}
		out:
		return err;
		err_af:
		/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
		return -EINVAL;
		return -EAFNOSUPPORT;
		}

		/* This supports connect(2) and SCTP connect services such as sctp_connectx(3)