Instead of returning -EINVAL if any type of error occurs, limit
-EINVAL to only those errors caused by passing a bad/invalid socket
or packet/skb. In other cases where everything is correct but there
isn't a valid peer label we return -ENOPROTOOPT.
This helps make selinux_socket_getpeersec_dgram() more consistent
with selinux_socket_getpeersec_stream().
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
---
security/selinux/hooks.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 48ae90327fa4..630ada3d208c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5193,11 +5193,11 @@ static int selinux_socket_getpeersec_stream(struct socket *sock,
return err;
}
-static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+static int selinux_socket_getpeersec_dgram(struct socket *sock,
+ struct sk_buff *skb, u32 *secid)
{
u32 peer_secid = SECSID_NULL;
u16 family;
- struct inode_security_struct *isec;
if (skb && skb->protocol == htons(ETH_P_IP))
family = PF_INET;
@@ -5205,19 +5205,21 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
family = PF_INET6;
else if (sock)
family = sock->sk->sk_family;
- else
- goto out;
+ else {
+ *secid = SECSID_NULL;
+ return -EINVAL;
+ }
if (sock && family == PF_UNIX) {
+ struct inode_security_struct *isec;
isec = inode_security_novalidate(SOCK_INODE(sock));
peer_secid = isec->sid;
} else if (skb)
selinux_skb_peerlbl_sid(skb, family, &peer_secid);
-out:
*secid = peer_secid;
if (peer_secid == SECSID_NULL)
- return -EINVAL;
+ return -ENOPROTOOPT;
return 0;
}
--
2.43.0
