Change netlbl_sock_setattr() to return the labeling
type of the domain. This allows the labeling types to
be compared when two LSMs want to determine how a socket
should be used.
Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
---
net/netlabel/netlabel_kapi.c | 25 ++++++++++++-------------
security/selinux/netlabel.c | 11 ++++-------
security/smack/smack_lsm.c | 2 ++
3 files changed, 18 insertions(+), 20 deletions(-)
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index db6bb1c037f9..61766da2cfac 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -973,15 +973,14 @@ int netlbl_enabled(void)
* Attach the correct label to the given socket using the security attributes
* specified in @secattr. This function requires exclusive access to @sk,
* which means it either needs to be in the process of being created or locked.
- * Returns zero on success, -EDESTADDRREQ if the domain is configured to use
- * network address selectors (can't blindly label the socket), and negative
- * values on all other failures.
+ * Returns the labeling type of the domain, or negative values on failures.
*
*/
int netlbl_sock_setattr(struct sock *sk,
u16 family,
const struct netlbl_lsm_secattr *secattr)
{
+ int rc;
int ret_val;
struct netlbl_dom_map *dom_entry;
@@ -993,17 +992,17 @@ int netlbl_sock_setattr(struct sock *sk,
}
switch (family) {
case AF_INET:
+ ret_val = dom_entry->def.type;
switch (dom_entry->def.type) {
case NETLBL_NLTYPE_ADDRSELECT:
- ret_val = -EDESTADDRREQ;
break;
case NETLBL_NLTYPE_CIPSOV4:
- ret_val = cipso_v4_sock_setattr(sk,
- dom_entry->def.cipso,
- secattr);
+ rc = cipso_v4_sock_setattr(sk, dom_entry->def.cipso,
+ secattr);
+ if (rc < 0)
+ ret_val = rc;
break;
case NETLBL_NLTYPE_UNLABELED:
- ret_val = 0;
break;
default:
ret_val = -ENOENT;
@@ -1011,17 +1010,17 @@ int netlbl_sock_setattr(struct sock *sk,
break;
#if IS_ENABLED(CONFIG_IPV6)
case AF_INET6:
+ ret_val = dom_entry->def.type;
switch (dom_entry->def.type) {
case NETLBL_NLTYPE_ADDRSELECT:
- ret_val = -EDESTADDRREQ;
break;
case NETLBL_NLTYPE_CALIPSO:
- ret_val = calipso_sock_setattr(sk,
- dom_entry->def.calipso,
- secattr);
+ rc = calipso_sock_setattr(sk, dom_entry->def.calipso,
+ secattr);
+ if (rc < 0)
+ ret_val = rc;
break;
case NETLBL_NLTYPE_UNLABELED:
- ret_val = 0;
break;
default:
ret_val = -ENOENT;
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 4bbd50237a8a..85156a0cdfc3 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -418,15 +418,12 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
if (secattr == NULL)
return -ENOMEM;
rc = netlbl_sock_setattr(sk, family, secattr);
- switch (rc) {
- case 0:
- sksec->nlbl_state = NLBL_LABELED;
- break;
- case -EDESTADDRREQ:
+ if (rc == NETLBL_NLTYPE_ADDRSELECT)
sksec->nlbl_state = NLBL_REQSKB;
+ else if (rc >= 0)
+ sksec->nlbl_state = NLBL_LABELED;
+ if (rc > 0)
rc = 0;
- break;
- }
return rc;
}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index f965c9e6287e..20eed64e91de 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2337,6 +2337,8 @@ static int smack_netlabel(struct sock *sk)
skp = ssp->smk_out;
rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel);
+ if (rc > 0)
+ rc = 0;
bh_unlock_sock(sk);
local_bh_enable();
--
2.17.0
