On Fri, May 10, 2019 at 9:49 AM Paolo Abeni <pabeni@xxxxxxxxxx> wrote: > > calling connect(AF_UNSPEC) on an already connected TCP socket is an > established way to disconnect() such socket. After commit 68741a8adab9 > ("selinux: Fix ltp test connect-syscall failure") it no longer works > and, in the above scenario connect() fails with EAFNOSUPPORT. > > Fix the above skipping the checks when the address family is not > AF_INET{4,6} - we don't have any port to validate, but leave the > SCTP code path untouched, as it has specific constraints. > > Fixes: 68741a8adab9 ("selinux: Fix ltp test connect-syscall failure") > Reported-by: Tom Deseyn <tdeseyn@xxxxxxxxxx> > Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx> > --- > v1 -> v2: > - avoid validation for AF_UNSPEC > --- > security/selinux/hooks.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) What was wrong with explicitly checking for AF_UNSPEC as I mentioned in my last email? > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index c61787b15f27..bccc4b3e6f57 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -4674,12 +4674,13 @@ static int selinux_socket_connect_helper(struct socket *sock, > break; > default: > /* Note that SCTP services expect -EINVAL, whereas > - * others expect -EAFNOSUPPORT. > + * others must handle this at the protocol level: > + * connect(AF_UNSPEC) on a connected socket is > + * a documented way disconnect the socket > */ > if (sksec->sclass == SECCLASS_SCTP_SOCKET) > return -EINVAL; > - else > - return -EAFNOSUPPORT; > + return 0; > } > > err = sel_netport_sid(sk->sk_protocol, snum, &sid); > -- > 2.20.1 -- paul moore www.paul-moore.com