mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-07 13:53:24 +00:00
selinux: correct return values in selinux_socket_getpeersec_dgram()
Instead of returning -EINVAL if any type of error occurs, limit -EINVAL to only those errors caused by passing a bad/invalid socket or packet/skb. In other cases where everything is correct but there isn't a valid peer label we return -ENOPROTOOPT. This helps make selinux_socket_getpeersec_dgram() more consistent with selinux_socket_getpeersec_stream(). Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
90593caf7d
commit
bfda63fa22
@ -5193,11 +5193,11 @@ static int selinux_socket_getpeersec_stream(struct socket *sock,
|
||||
return err;
|
||||
}
|
||||
|
||||
static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
|
||||
static int selinux_socket_getpeersec_dgram(struct socket *sock,
|
||||
struct sk_buff *skb, u32 *secid)
|
||||
{
|
||||
u32 peer_secid = SECSID_NULL;
|
||||
u16 family;
|
||||
struct inode_security_struct *isec;
|
||||
|
||||
if (skb && skb->protocol == htons(ETH_P_IP))
|
||||
family = PF_INET;
|
||||
@ -5205,19 +5205,21 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
|
||||
family = PF_INET6;
|
||||
else if (sock)
|
||||
family = sock->sk->sk_family;
|
||||
else
|
||||
goto out;
|
||||
else {
|
||||
*secid = SECSID_NULL;
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (sock && family == PF_UNIX) {
|
||||
struct inode_security_struct *isec;
|
||||
isec = inode_security_novalidate(SOCK_INODE(sock));
|
||||
peer_secid = isec->sid;
|
||||
} else if (skb)
|
||||
selinux_skb_peerlbl_sid(skb, family, &peer_secid);
|
||||
|
||||
out:
|
||||
*secid = peer_secid;
|
||||
if (peer_secid == SECSID_NULL)
|
||||
return -EINVAL;
|
||||
return -ENOPROTOOPT;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user