selinux: fix broken peer recv check

dahchanson · pcmoore · commit 598cdbcf8618 · 2013-12-11T17:07:56.000-05:00
Fix a broken networking check. Return an error if peer recv fails.  If
secmark is active and the packet recv succeeds the peer recv error is
ignored.

Signed-off-by: Chad Hanson &lt;chanson@trustedcs.com&gt;
Signed-off-by: Paul Moore &lt;pmoore@redhat.com&gt;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
@@ -4338,8 +4338,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 		}
 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
 				   PEER__RECV, &ad);
-		if (err)
+		if (err) {
 			selinux_netlbl_err(skb, err, 0);
+			return err;
+		}
 	}
 
 	if (secmark_active) {

Original file line number	Diff line number	Diff line change
`@@ -4338,8 +4338,10 @@ static int selinux_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)`
`4338`	`4338`	`}`
`4339`	`4339`	`err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,`
`4340`	`4340`	`PEER__RECV, &ad);`
`4341`		`- if (err)`
	`4341`	`+ if (err) {`
`4342`	`4342`	`selinux_netlbl_err(skb, err, 0);`
	`4343`	`+ return err;`
	`4344`	`+ }`
`4343`	`4345`	`}`
`4344`	`4346`
`4345`	`4347`	`if (secmark_active) {`