selinux: fix broken peer recv check

Fix a broken networking check. Return an error if peer recv fails. If secmark is active and the packet recv succeeds the peer recv error is ignored. Signed-off-by: Chad Hanson <chanson@trustedcs.com> Signed-off-by: Paul Moore <pmoore@redhat.com>
author: Chad Hanson <chanson@trustedcs.com> 2013-12-11 23:07:56 +0100
committer: Paul Moore <pmoore@redhat.com> 2013-12-11 23:07:56 +0100
commit: 598cdbcf861825692fe7905e0fd662c7d06bae58 (patch)
tree: c8114efd8770a9c8ee85f3e4c5cdec21447ba500 /security
parent: selinux: process labeled IPsec TCP SYN-ACK packets properly in selinux_ip_pos... (diff)
download: linux-598cdbcf861825692fe7905e0fd662c7d06bae58.tar.xz
linux-598cdbcf861825692fe7905e0fd662c7d06bae58.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a98228e7b91d..bf0537d78a70 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4338,8 +4338,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 		}
 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
 				   PEER__RECV, &ad);
-		if (err)
+		if (err) {
 			selinux_netlbl_err(skb, err, 0);
+			return err;
+		}
 	}
 
 	if (secmark_active) {
author	Chad Hanson <chanson@trustedcs.com>	2013-12-11 23:07:56 +0100
committer	Paul Moore <pmoore@redhat.com>	2013-12-11 23:07:56 +0100
commit	598cdbcf861825692fe7905e0fd662c7d06bae58 (patch)
tree	c8114efd8770a9c8ee85f3e4c5cdec21447ba500 /security
parent	selinux: process labeled IPsec TCP SYN-ACK packets properly in selinux_ip_pos... (diff)
download	linux-598cdbcf861825692fe7905e0fd662c7d06bae58.tar.xz linux-598cdbcf861825692fe7905e0fd662c7d06bae58.zip