[3.8.y.z extended stable] Patch "selinux: fix broken peer recv check" has been added to staging queue

[Kamal Mostafa]

This is a note to let you know that I have just added a patch titled

    selinux: fix broken peer recv check

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.16.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From f583a010dd1dcf98d209563529384e233cfd656c Mon Sep 17 00:00:00 2001
From: Chad Hanson <chanson at trustedcs.com>
Date: Mon, 23 Dec 2013 17:45:01 -0500
Subject: selinux: fix broken peer recv check

commit 46d01d63221c3508421dd72ff9c879f61053cffc upstream.

Fix a broken networking check. Return an error if peer recv fails.  If
secmark is active and the packet recv succeeds the peer recv error is
ignored.

Signed-off-by: Chad Hanson <chanson at trustedcs.com>
Signed-off-by: Paul Moore <pmoore at redhat.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 security/selinux/hooks.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1ce432d..0963169 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4205,8 +4205,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 		}
 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
 				   PEER__RECV, &ad);
-		if (err)
+		if (err) {
 			selinux_netlbl_err(skb, err, 0);
+			return err;
+		}
 	}

 	if (secmark_active) {
--
1.8.3.2