[PATCH RFC] selinux: Fix SCTP error inconsistency in selinux_socket_bind()
Paul Moore
paul at paul-moore.com
Wed Dec 11 19:57:45 UTC 2024
On Nov 12, 2024 Mikhail Ivanov <ivanov.mikhail1 at huawei-partners.com> wrote:
>
> Check sk->sk_protocol instead of security class to recognize SCTP socket.
> SCTP socket is initialized with SECCLASS_SOCKET class if policy does not
> support EXTSOCKCLASS capability. In this case bind(2) hook wrongfully
> return EAFNOSUPPORT instead of EINVAL.
>
> The inconsistency was detected with help of Landlock tests:
> https://lore.kernel.org/all/b58680ca-81b2-7222-7287-0ac7f4227c3c@huawei-partners.com/
>
> Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()")
> Signed-off-by: Mikhail Ivanov <ivanov.mikhail1 at huawei-partners.com>
> ---
> security/selinux/hooks.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Looks good to me, merged into selinux/dev, thanks!
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list