Change netlbl_skbuff_setattr() to return the labeling type of the domain. This allows the labeling types to be compared when two LSMs want to determine how a socket should be used. Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> --- net/netlabel/netlabel_kapi.c | 7 ++++++- security/selinux/netlabel.c | 2 ++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index 2bd765290550..1d362a38dd05 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -1278,7 +1278,8 @@ void netlbl_req_delattr(struct request_sock *req) * * Description: * Attach the correct label to the given packet using the security attributes - * specified in @secattr. Returns zero on success, negative values on failure. + * specified in @secattr. Returns the NLTYPE on success, negative values on + * failure. * */ int netlbl_skbuff_setattr(struct sk_buff *skb, @@ -1315,6 +1316,8 @@ int netlbl_skbuff_setattr(struct sk_buff *skb, default: ret_val = -ENOENT; } + if (ret_val == 0) + ret_val = entry->type; break; #if IS_ENABLED(CONFIG_IPV6) case AF_INET6: @@ -1338,6 +1341,8 @@ int netlbl_skbuff_setattr(struct sk_buff *skb, default: ret_val = -ENOENT; } + if (ret_val == 0) + ret_val = entry->type; break; #endif /* IPv6 */ default: diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index ca47c99f964a..b6eede4406bd 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -266,6 +266,8 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, } rc = netlbl_skbuff_setattr(skb, family, secattr); + if (rc > 0) + rc = 0; skbuff_setsid_return: if (secattr == &secattr_storage) -- 2.17.0
