On Nov 12, 2024 Mikhail Ivanov <ivanov.mikhail1@xxxxxxxxxxxxxxxxxxx> wrote: > > Check sk->sk_protocol instead of security class to recognize SCTP socket. > SCTP socket is initialized with SECCLASS_SOCKET class if policy does not > support EXTSOCKCLASS capability. In this case bind(2) hook wrongfully > return EAFNOSUPPORT instead of EINVAL. > > The inconsistency was detected with help of Landlock tests: > https://lore.kernel.org/all/b58680ca-81b2-7222-7287-0ac7f4227c3c@xxxxxxxxxxxxxxxxxxx/ > > Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()") > Signed-off-by: Mikhail Ivanov <ivanov.mikhail1@xxxxxxxxxxxxxxxxxxx> > --- > security/selinux/hooks.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Looks good to me, merged into selinux/dev, thanks! -- paul-moore.com
