summaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-10-10 16:16:31 +0200
committerPaul Moore <paul.moore@hp.com>2008-10-10 16:16:31 +0200
commitdfaebe9825ff34983778f287101bc5f3bce00640 (patch)
tree4dccdcdcecd57fc8bfc083ff30d9e0ecb2e7ecba /security/selinux/hooks.c
parentselinux: Fix a problem in security_netlbl_sid_to_secattr() (diff)
downloadlinux-dfaebe9825ff34983778f287101bc5f3bce00640.tar.xz
linux-dfaebe9825ff34983778f287101bc5f3bce00640.zip
selinux: Fix missing calls to netlbl_skbuff_err()
At some point I think I messed up and dropped the calls to netlbl_skbuff_err() which are necessary for CIPSO to send error notifications to remote systems. This patch re-introduces the error handling calls into the SELinux code. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c19
1 files changed, 15 insertions, 4 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b520667a24be..a91146a6b37d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4101,6 +4101,8 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
return err;
err = avc_has_perm(sk_sid, peer_sid,
SECCLASS_PEER, PEER__RECV, &ad);
+ if (err)
+ selinux_netlbl_err(skb, err, 0);
} else {
err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
if (err)
@@ -4156,10 +4158,14 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
return err;
err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
peer_sid, &ad);
- if (err)
+ if (err) {
+ selinux_netlbl_err(skb, err, 0);
return err;
+ }
err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
PEER__RECV, &ad);
+ if (err)
+ selinux_netlbl_err(skb, err, 0);
}
if (secmark_active) {
@@ -4396,6 +4402,7 @@ out:
static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
u16 family)
{
+ int err;
char *addrp;
u32 peer_sid;
struct avc_audit_data ad;
@@ -4419,10 +4426,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
return NF_DROP;
- if (peerlbl_active)
- if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
- peer_sid, &ad) != 0)
+ if (peerlbl_active) {
+ err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
+ peer_sid, &ad);
+ if (err) {
+ selinux_netlbl_err(skb, err, 1);
return NF_DROP;
+ }
+ }
if (secmark_active)
if (avc_has_perm(peer_sid, skb->secmark,