[RFC PATCH] selinux: Fix SCTP error inconsistency in selinux_socket_bind()
Mikhail Ivanov
ivanov.mikhail1 at huawei-partners.com
Tue Nov 12 14:52:03 UTC 2024
Check sk->sk_protocol instead of security class to recognize SCTP socket.
SCTP socket is initialized with SECCLASS_SOCKET class if policy does not
support EXTSOCKCLASS capability. In this case bind(2) hook wrongfully
return EAFNOSUPPORT instead of EINVAL.
The inconsistency was detected with help of Landlock tests:
https://lore.kernel.org/all/b58680ca-81b2-7222-7287-0ac7f4227c3c@huawei-partners.com/
Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()")
Signed-off-by: Mikhail Ivanov <ivanov.mikhail1 at huawei-partners.com>
---
security/selinux/hooks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ad3abd48eed1..15e31299a833 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4828,7 +4828,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
return err;
err_af:
/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
- if (sksec->sclass == SECCLASS_SCTP_SOCKET)
+ if (sk->sk_protocol == IPPROTO_SCTP)
return -EINVAL;
return -EAFNOSUPPORT;
}
base-commit: d7b6918e22c74f2b354d8dc0ef31ab17ae334b93
--
2.34.1
More information about the Linux-security-module-archive
mailing list