Change netlbl_req_setattr() to return the labeling type of the domain. This allows the labeling types to be compared when two LSMs want to determine how a socket should be used. Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> --- net/netlabel/netlabel_kapi.c | 18 +++++++++++------- security/selinux/netlabel.c | 2 ++ security/smack/smack_lsm.c | 2 ++ 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index 1d362a38dd05..5c5825171281 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -1185,12 +1185,14 @@ int netlbl_conn_setattr(struct sock *sk, * * Description: * Attach the correct label to the given socket using the security attributes - * specified in @secattr. Returns zero on success, negative values on failure. + * specified in @secattr. Returns the NLTYPE on success, negative values on + * failure. * */ int netlbl_req_setattr(struct request_sock *req, const struct netlbl_lsm_secattr *secattr) { + int rc; int ret_val; struct netlbl_dommap_def *entry; struct inet_request_sock *ireq = inet_rsk(req); @@ -1204,14 +1206,15 @@ int netlbl_req_setattr(struct request_sock *req, ret_val = -ENOENT; goto req_setattr_return; } + ret_val = entry->type; switch (entry->type) { case NETLBL_NLTYPE_CIPSOV4: - ret_val = cipso_v4_req_setattr(req, - entry->cipso, secattr); + rc = cipso_v4_req_setattr(req, entry->cipso, secattr); + if (rc < 0) + ret_val = rc; break; case NETLBL_NLTYPE_UNLABELED: netlbl_req_delattr(req); - ret_val = 0; break; default: ret_val = -ENOENT; @@ -1225,14 +1228,15 @@ int netlbl_req_setattr(struct request_sock *req, ret_val = -ENOENT; goto req_setattr_return; } + ret_val = entry->type; switch (entry->type) { case NETLBL_NLTYPE_CALIPSO: - ret_val = calipso_req_setattr(req, - entry->calipso, secattr); + rc = calipso_req_setattr(req, entry->calipso, secattr); + if (rc < 0) + ret_val = rc; break; case NETLBL_NLTYPE_UNLABELED: netlbl_req_delattr(req); - ret_val = 0; break; default: ret_val = -ENOENT; diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index b6eede4406bd..9fbf22a3ca57 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -358,6 +358,8 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family) if (rc != 0) goto inet_conn_request_return; rc = netlbl_req_setattr(req, &secattr); + if (rc > 0) + rc = 0; inet_conn_request_return: netlbl_secattr_destroy(&secattr); return rc; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 20eed64e91de..086a3f696baa 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4060,6 +4060,8 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, rc = netlbl_req_setattr(req, &skp->smk_netlabel); else rc = netlbl_req_setattr(req, &smack_net_ambient->smk_netlabel); + if (rc >= 0) + return 0; return rc; } -- 2.17.0