All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] selinux: correct return values in selinux_socket_getpeersec_dgram()
@ 2024-01-30 23:23 Paul Moore
  2024-02-02 18:47 ` Paul Moore
  0 siblings, 1 reply; 2+ messages in thread
From: Paul Moore @ 2024-01-30 23:23 UTC (permalink / raw)
  To: selinux

Instead of returning -EINVAL if any type of error occurs, limit
-EINVAL to only those errors caused by passing a bad/invalid socket
or packet/skb.  In other cases where everything is correct but there
isn't a valid peer label we return -ENOPROTOOPT.

This helps make selinux_socket_getpeersec_dgram() more consistent
with selinux_socket_getpeersec_stream().

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 security/selinux/hooks.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 48ae90327fa4..630ada3d208c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5193,11 +5193,11 @@ static int selinux_socket_getpeersec_stream(struct socket *sock,
 	return err;
 }
 
-static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+static int selinux_socket_getpeersec_dgram(struct socket *sock,
+					   struct sk_buff *skb, u32 *secid)
 {
 	u32 peer_secid = SECSID_NULL;
 	u16 family;
-	struct inode_security_struct *isec;
 
 	if (skb && skb->protocol == htons(ETH_P_IP))
 		family = PF_INET;
@@ -5205,19 +5205,21 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
 		family = PF_INET6;
 	else if (sock)
 		family = sock->sk->sk_family;
-	else
-		goto out;
+	else {
+		*secid = SECSID_NULL;
+		return -EINVAL;
+	}
 
 	if (sock && family == PF_UNIX) {
+		struct inode_security_struct *isec;
 		isec = inode_security_novalidate(SOCK_INODE(sock));
 		peer_secid = isec->sid;
 	} else if (skb)
 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
 
-out:
 	*secid = peer_secid;
 	if (peer_secid == SECSID_NULL)
-		return -EINVAL;
+		return -ENOPROTOOPT;
 	return 0;
 }
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] selinux: correct return values in selinux_socket_getpeersec_dgram()
  2024-01-30 23:23 [PATCH] selinux: correct return values in selinux_socket_getpeersec_dgram() Paul Moore
@ 2024-02-02 18:47 ` Paul Moore
  0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2024-02-02 18:47 UTC (permalink / raw)
  To: selinux

On Tue, Jan 30, 2024 at 6:23 PM Paul Moore <paul@paul-moore.com> wrote:
>
> Instead of returning -EINVAL if any type of error occurs, limit
> -EINVAL to only those errors caused by passing a bad/invalid socket
> or packet/skb.  In other cases where everything is correct but there
> isn't a valid peer label we return -ENOPROTOOPT.
>
> This helps make selinux_socket_getpeersec_dgram() more consistent
> with selinux_socket_getpeersec_stream().
>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  security/selinux/hooks.c | 14 ++++++++------
>  1 file changed, 8 insertions(+), 6 deletions(-)

Merged into selinux/dev.

-- 
paul-moore.com

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-02-02 18:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-30 23:23 [PATCH] selinux: correct return values in selinux_socket_getpeersec_dgram() Paul Moore
2024-02-02 18:47 ` Paul Moore

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.