On Tue, Oct 19, 2021 at 8:16 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> Unfortunately we can't rely on nf_hook_state->sk being the proper
> originating socket so revert to using skb_to_full_sk(skb).
>
> Fixes: 1d1e1ded1356 ("1d1e1ded13568be81a0e19d228e310a48997bec8")
This doesn't seem right :)
> Reported-by: Linux Kernel Functional Testing <lkft@xxxxxxxxxx>
> Suggested-by: Florian Westphal <fw@xxxxxxxxx>
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
> security/selinux/hooks.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index b4a1bde20261..6f08cd2fc6a8 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5778,9 +5778,9 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
> struct lsm_network_audit net = {0,};
> u8 proto;
>
> - if (state->sk == NULL)
> - return NF_ACCEPT;
> sk = skb_to_full_sk(skb);
> + if (sk == NULL)
> + return NF_ACCEPT;
> sksec = sk->sk_security;
>
> ad.type = LSM_AUDIT_DATA_NET;
>
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
