diff options
author | Maciej Żenczykowski <maze@google.com> | 2019-11-26 00:37:04 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2019-11-26 22:20:46 +0100 |
commit | 82f31ebf61bed3077c9935308e0a4b6c44842c5a (patch) | |
tree | 0db99fcf06cb9dd3f5333406547d0ed0680cea52 /security | |
parent | Merge branch 'ibmvnic-Harden-device-commands-and-queries' (diff) | |
download | linux-82f31ebf61bed3077c9935308e0a4b6c44842c5a.tar.xz linux-82f31ebf61bed3077c9935308e0a4b6c44842c5a.zip |
net: port < inet_prot_sock(net) --> inet_port_requires_bind_service(net, port)
Note that the sysctl write accessor functions guarantee that:
net->ipv4.sysctl_ip_prot_sock <= net->ipv4.ip_local_ports.range[0]
invariant is maintained, and as such the max() in selinux hooks is actually spurious.
ie. even though
if (snum < max(inet_prot_sock(sock_net(sk)), low) || snum > high) {
per logic is the same as
if ((snum < inet_prot_sock(sock_net(sk)) && snum < low) || snum > high) {
it is actually functionally equivalent to:
if (snum < low || snum > high) {
which is equivalent to:
if (snum < inet_prot_sock(sock_net(sk)) || snum < low || snum > high) {
even though the first clause is spurious.
But we want to hold on to it in case we ever want to change what what
inet_port_requires_bind_service() means (for example by changing
it from a, by default, [0..1024) range to some sort of set).
Test: builds, git 'grep inet_prot_sock' finds no other references
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9625b99e677f..753b327f4806 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4623,8 +4623,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in inet_get_local_port_range(sock_net(sk), &low, &high); - if (snum < max(inet_prot_sock(sock_net(sk)), low) || - snum > high) { + if (inet_port_requires_bind_service(sock_net(sk), snum) || + snum < low || snum > high) { err = sel_netport_sid(sk->sk_protocol, snum, &sid); if (err) |