Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-05-17 06:54:10 +0200
committerJiri Slaby <jslaby@suse.cz>2019-05-17 06:54:11 +0200
commit3d34296dc1f9a3ba054dcae53ad6c109b42364ad (patch)
treecbca66cb74aea235a0dc1cb019dd7283ab98391d
parent49d8b5fa36367d763456d9761fd04d386196e5c9 (diff)
Revert "selinux: do not report error on connect(AF_UNSPEC)"
(git-fixes).
-rw-r--r--patches.suse/Revert-selinux-do-not-report-error-on-connect-AF_UNS.patch53
-rw-r--r--series.conf1
2 files changed, 54 insertions, 0 deletions
diff --git a/patches.suse/Revert-selinux-do-not-report-error-on-connect-AF_UNS.patch b/patches.suse/Revert-selinux-do-not-report-error-on-connect-AF_UNS.patch
new file mode 100644
index 0000000000..02e72e67d9
--- /dev/null
+++ b/patches.suse/Revert-selinux-do-not-report-error-on-connect-AF_UNS.patch
@@ -0,0 +1,53 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 10 May 2019 11:37:58 +0200
+Subject: Revert "selinux: do not report error on connect(AF_UNSPEC)"
+Git-commit: e711ab936a44ee9f63f1746c09029543f1b29dd2
+Patch-mainline: 5.2-rc1
+References: git-fixes
+
+This reverts commit c7e0d6cca86581092cbbf2cd868b3601495554cf.
+
+It was agreed a slightly different fix via the selinux tree.
+
+v1 -> v2:
+ - use the correct reverted commit hash
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ security/selinux/hooks.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index d82b87c16b0a..c61787b15f27 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -4649,7 +4649,7 @@ static int selinux_socket_connect_helper(struct socket *sock,
+ struct lsm_network_audit net = {0,};
+ struct sockaddr_in *addr4 = NULL;
+ struct sockaddr_in6 *addr6 = NULL;
+- unsigned short snum = 0;
++ unsigned short snum;
+ u32 sid, perm;
+
+ /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
+@@ -4674,12 +4674,12 @@ static int selinux_socket_connect_helper(struct socket *sock,
+ break;
+ default:
+ /* Note that SCTP services expect -EINVAL, whereas
+- * others must handle this at the protocol level:
+- * connect(AF_UNSPEC) on a connected socket is
+- * a documented way disconnect the socket.
++ * others expect -EAFNOSUPPORT.
+ */
+ if (sksec->sclass == SECCLASS_SCTP_SOCKET)
+ return -EINVAL;
++ else
++ return -EAFNOSUPPORT;
+ }
+
+ err = sel_netport_sid(sk->sk_protocol, snum, &sid);
+--
+2.21.0
+
diff --git a/series.conf b/series.conf
index 5654c17b26..fa62e41539 100644
--- a/series.conf
+++ b/series.conf
@@ -467,6 +467,7 @@
# Security stuff
#
##########################################################
+ patches.suse/Revert-selinux-do-not-report-error-on-connect-AF_UNS.patch
##########################################################
# Audit