Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 899134f2 authored by Paul Moore's avatar Paul Moore
Browse files

selinux: don't revalidate inodes in selinux_socket_getpeersec_dgram() 



We don't have to worry about socket inodes being invalidated so
use inode_security_novalidate() to fetch the inode's security blob.

Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 341e0cb5

security/selinux/hooks.c

+5 −3
Original line number Original line Diff line number Diff line
@@ -4598,6 +4598,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * 
{

{

	u32 peer_secid = SECSID_NULL;

	u32 peer_secid = SECSID_NULL;

	u16 family;

	u16 family;

	struct inode_security_struct *isec;





	if (skb && skb->protocol == htons(ETH_P_IP))

	if (skb && skb->protocol == htons(ETH_P_IP))

		family = PF_INET;

		family = PF_INET;
@@ -4608,9 +4609,10 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * 
	else

	else

		goto out;

		goto out;





	if (sock && family == PF_UNIX)

	if (sock && family == PF_UNIX) {

		selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);

		isec = inode_security_novalidate(SOCK_INODE(sock));

	else if (skb)

		peer_secid = isec->sid;

	} else if (skb)

		selinux_skb_peerlbl_sid(skb, family, &peer_secid);

		selinux_skb_peerlbl_sid(skb, family, &peer_secid);





out:

out: