[3.8.y.z extended stable] Patch "selinux: fix broken peer recv check" has been added to staging queue
Kamal Mostafa
kamal at canonical.com
Mon Jan 13 18:10:39 UTC 2014
This is a note to let you know that I have just added a patch titled
selinux: fix broken peer recv check
to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree
which can be found at:
http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue
This patch is scheduled to be released in version 3.8.13.16.
If you, or anyone else, feels it should not be added to this tree, please
reply to this email.
For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
Thanks.
-Kamal
------
>From f583a010dd1dcf98d209563529384e233cfd656c Mon Sep 17 00:00:00 2001
From: Chad Hanson <chanson at trustedcs.com>
Date: Mon, 23 Dec 2013 17:45:01 -0500
Subject: selinux: fix broken peer recv check
commit 46d01d63221c3508421dd72ff9c879f61053cffc upstream.
Fix a broken networking check. Return an error if peer recv fails. If
secmark is active and the packet recv succeeds the peer recv error is
ignored.
Signed-off-by: Chad Hanson <chanson at trustedcs.com>
Signed-off-by: Paul Moore <pmoore at redhat.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
security/selinux/hooks.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1ce432d..0963169 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4205,8 +4205,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
}
err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
PEER__RECV, &ad);
- if (err)
+ if (err) {
selinux_netlbl_err(skb, err, 0);
+ return err;
+ }
}
if (secmark_active) {
--
1.8.3.2
More information about the kernel-team
mailing list