From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=ZEWG=T3=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS,T_DKIMWL_WL_HIGH,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 46C29C04AB3
	for <stable@archiver.kernel.org>; Mon, 27 May 2019 12:04:14 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 1C01820883
	for <stable@archiver.kernel.org>; Mon, 27 May 2019 12:04:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1558958654;
	bh=rtjfetISqIob2LCtRPkxAXUCh33AnYHKBWEi4jDWW2k=;
	h=Subject:To:Cc:From:Date:List-ID:From;
	b=qaUYO0Oa1YUveJ9Hmq1PhSgtDS7BWm6CuGECDaF8EiC3u6wkW4adQf7oFFwuow3eI
	 pKP1OCi7v3d/bZ9P2al2zLKzpdwpavB5YEnOQacsaj14yviT/AaZR7dCfXpZ3271dV
	 WG/tmP4OG2txAMGgwvTqUVucMzh5EUJqRbGAW/xg=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726579AbfE0MEN (ORCPT <rfc822;stable@archiver.kernel.org>);
        Mon, 27 May 2019 08:04:13 -0400
Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:57823 "EHLO
        wout5-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726522AbfE0MEN (ORCPT
        <rfc822;stable@vger.kernel.org>); Mon, 27 May 2019 08:04:13 -0400
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46])
        by mailout.west.internal (Postfix) with ESMTP id 5CCEC425;
        Mon, 27 May 2019 08:04:12 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute6.internal (MEProxy); Mon, 27 May 2019 08:04:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=cc:content-transfer-encoding:content-type
        :date:from:message-id:mime-version:subject:to:x-me-proxy
        :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=D1G5cn
        lKfzQsfcTFD/SaomEO1yj2eK58OptlRuQ/JSI=; b=nxoBM5BHL18x7RWpm6eAaQ
        XwLq6N4/sMgoA2+oPK3ZeUHw8rbwSj3DkM1FfyBQil8wqbvU8iepaJgMRftFtbC1
        3QB5N5TmcML0jjmq+1UArg7QK0IJkNESyt7OxfIBFemY7KPpyYg/6Ha2MjmLM/nw
        CH8FOFz1yupQ+7wded1DOHRhjj96ebUI01tBc7+2cXhfD/A+1x6RTAjlsM3MROvj
        ba3aYsc7RDO+kMxdCpcWaCOPfUAL2xo3L9Zne0gGYNNtCemhLI3xroC9LJZq/io6
        b2o6V6MwvZCpvVhRwdpRRyA36in1TY8BaDO4y4AjAwv7L3TPj1qvLuBgvmNMbQrA
        ==
X-ME-Sender: <xms:O9LrXDSyz8TKMJB_gSqFI3pbbVgr_RLaRvGpdm80xPADq-ewetMZ0w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddruddvvddggeekucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefuvffhfffkgggtgfesthekredttd
    dtlfenucfhrhhomhepoehgrhgvghhkhheslhhinhhugihfohhunhgurghtihhonhdrohhr
    gheqnecukfhppeekfedrkeeirdekledruddtjeenucfrrghrrghmpehmrghilhhfrhhomh
    epghhrvghgsehkrhhorghhrdgtohhmnecuvehluhhsthgvrhfuihiivgepje
X-ME-Proxy: <xmx:O9LrXGtb4nCdb4G6VNkTOwCOSByVdTo90VFv0Pie6tQj03XJJdABRA>
    <xmx:O9LrXM06uQOTmjlCpfFjgPOZpGr82NgRGx9GN83NxZroQ3J8uVaMyA>
    <xmx:O9LrXHPduI5g7dQmh7gCjT8jh4OPLkTWKPKczfedG554figRfeOyEQ>
    <xmx:PNLrXF0EgkOsRXf4HFZ07PojRgl1XEWm5tnAdMgSlIeMOHe2rqkCXg>
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        by mail.messagingengine.com (Postfix) with ESMTPA id 7374C80064;
        Mon, 27 May 2019 08:04:11 -0400 (EDT)
Subject: FAILED: patch "[PATCH] selinux: do not report error on connect(AF_UNSPEC)" failed to apply to 4.19-stable tree
To:     pabeni@redhat.com, paul@paul-moore.com, tdeseyn@redhat.com
Cc:     <stable@vger.kernel.org>
From:   <gregkh@linuxfoundation.org>
Date:   Mon, 27 May 2019 14:04:02 +0200
Message-ID: <155895864215568@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org


The patch below does not apply to the 4.19-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

>From 05174c95b83f8aca0c47b87115abb7a6387aafa5 Mon Sep 17 00:00:00 2001
From: Paolo Abeni <pabeni@redhat.com>
Date: Fri, 10 May 2019 19:12:33 +0200
Subject: [PATCH] selinux: do not report error on connect(AF_UNSPEC)

calling connect(AF_UNSPEC) on an already connected TCP socket is an
established way to disconnect() such socket. After commit 68741a8adab9
("selinux: Fix ltp test connect-syscall failure") it no longer works
and, in the above scenario connect() fails with EAFNOSUPPORT.

Fix the above explicitly early checking for AF_UNSPEC family, and
returning success in that case.

Reported-by: Tom Deseyn <tdeseyn@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 68741a8adab9 ("selinux: Fix ltp test connect-syscall failure")
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c61787b15f27..3ec702cf46ca 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4637,6 +4637,14 @@ static int selinux_socket_connect_helper(struct socket *sock,
 	err = sock_has_perm(sk, SOCKET__CONNECT);
 	if (err)
 		return err;
+	if (addrlen < offsetofend(struct sockaddr, sa_family))
+		return -EINVAL;
+
+	/* connect(AF_UNSPEC) has special handling, as it is a documented
+	 * way to disconnect the socket
+	 */
+	if (address->sa_family == AF_UNSPEC)
+		return 0;
 
 	/*
 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
@@ -4657,8 +4665,6 @@ static int selinux_socket_connect_helper(struct socket *sock,
 		 * need to check address->sa_family as it is possible to have
 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
 		 */
-		if (addrlen < offsetofend(struct sockaddr, sa_family))
-			return -EINVAL;
 		switch (address->sa_family) {
 		case AF_INET:
 			addr4 = (struct sockaddr_in *)address;