summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorMaciej Żenczykowski <maze@google.com>2019-11-26 00:37:04 +0100
committerDavid S. Miller <davem@davemloft.net>2019-11-26 22:20:46 +0100
commit82f31ebf61bed3077c9935308e0a4b6c44842c5a (patch)
tree0db99fcf06cb9dd3f5333406547d0ed0680cea52 /security
parentMerge branch 'ibmvnic-Harden-device-commands-and-queries' (diff)
downloadlinux-82f31ebf61bed3077c9935308e0a4b6c44842c5a.tar.xz
linux-82f31ebf61bed3077c9935308e0a4b6c44842c5a.zip
net: port < inet_prot_sock(net) --> inet_port_requires_bind_service(net, port)
Note that the sysctl write accessor functions guarantee that: net->ipv4.sysctl_ip_prot_sock <= net->ipv4.ip_local_ports.range[0] invariant is maintained, and as such the max() in selinux hooks is actually spurious. ie. even though if (snum < max(inet_prot_sock(sock_net(sk)), low) || snum > high) { per logic is the same as if ((snum < inet_prot_sock(sock_net(sk)) && snum < low) || snum > high) { it is actually functionally equivalent to: if (snum < low || snum > high) { which is equivalent to: if (snum < inet_prot_sock(sock_net(sk)) || snum < low || snum > high) { even though the first clause is spurious. But we want to hold on to it in case we ever want to change what what inet_port_requires_bind_service() means (for example by changing it from a, by default, [0..1024) range to some sort of set). Test: builds, git 'grep inet_prot_sock' finds no other references Cc: Eric Dumazet <edumazet@google.com> Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9625b99e677f..753b327f4806 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4623,8 +4623,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
inet_get_local_port_range(sock_net(sk), &low, &high);
- if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
- snum > high) {
+ if (inet_port_requires_bind_service(sock_net(sk), snum) ||
+ snum < low || snum > high) {
err = sel_netport_sid(sk->sk_protocol,
snum, &sid);
if (err)