Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-05-17 06:38:43 +0200
committerJiri Slaby <jslaby@suse.cz>2019-05-17 06:38:50 +0200
commit5c31ec63bc2ebb68cef0a7264a5e712259ec3258 (patch)
treed2067dc684c93a32b0dacafdbd06083aa79ee918
parente09adbff452e90fdb81e1f1a8b37e66a60c6968e (diff)
selinux: do not report error on connect(AF_UNSPEC)
-rw-r--r--patches.kernel.org/5.1.3-025-selinux-do-not-report-error-on-connect-AF_UNSPE.patch61
-rw-r--r--series.conf1
2 files changed, 62 insertions, 0 deletions
diff --git a/patches.kernel.org/5.1.3-025-selinux-do-not-report-error-on-connect-AF_UNSPE.patch b/patches.kernel.org/5.1.3-025-selinux-do-not-report-error-on-connect-AF_UNSPE.patch
new file mode 100644
index 0000000000..e4db4406a5
--- /dev/null
+++ b/patches.kernel.org/5.1.3-025-selinux-do-not-report-error-on-connect-AF_UNSPE.patch
@@ -0,0 +1,61 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Wed, 8 May 2019 15:32:51 +0200
+Subject: [PATCH] selinux: do not report error on connect(AF_UNSPEC)
+References: bnc#1012628
+Patch-mainline: 5.1.3
+Git-commit: c7e0d6cca86581092cbbf2cd868b3601495554cf
+
+[ Upstream commit c7e0d6cca86581092cbbf2cd868b3601495554cf ]
+
+calling connect(AF_UNSPEC) on an already connected TCP socket is an
+established way to disconnect() such socket. After commit 68741a8adab9
+("selinux: Fix ltp test connect-syscall failure") it no longer works
+and, in the above scenario connect() fails with EAFNOSUPPORT.
+
+Fix the above falling back to the generic/old code when the address family
+is not AF_INET{4,6}, but leave the SCTP code path untouched, as it has
+specific constraints.
+
+Fixes: 68741a8adab9 ("selinux: Fix ltp test connect-syscall failure")
+Reported-by: Tom Deseyn <tdeseyn@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ security/selinux/hooks.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 1d0b37af2444..28bff30c2f15 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -4572,7 +4572,7 @@ static int selinux_socket_connect_helper(struct socket *sock,
+ struct lsm_network_audit net = {0,};
+ struct sockaddr_in *addr4 = NULL;
+ struct sockaddr_in6 *addr6 = NULL;
+- unsigned short snum;
++ unsigned short snum = 0;
+ u32 sid, perm;
+
+ /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
+@@ -4595,12 +4595,12 @@ static int selinux_socket_connect_helper(struct socket *sock,
+ break;
+ default:
+ /* Note that SCTP services expect -EINVAL, whereas
+- * others expect -EAFNOSUPPORT.
++ * others must handle this at the protocol level:
++ * connect(AF_UNSPEC) on a connected socket is
++ * a documented way disconnect the socket.
+ */
+ if (sksec->sclass == SECCLASS_SCTP_SOCKET)
+ return -EINVAL;
+- else
+- return -EAFNOSUPPORT;
+ }
+
+ err = sel_netport_sid(sk->sk_protocol, snum, &sid);
+--
+2.21.0
+
diff --git a/series.conf b/series.conf
index 04a5131554..9c6726a546 100644
--- a/series.conf
+++ b/series.conf
@@ -110,6 +110,7 @@
patches.kernel.org/5.1.3-022-net-seeq-fix-crash-caused-by-not-set-dev.parent.patch
patches.kernel.org/5.1.3-023-net-ucc_geth-fix-Oops-when-changing-number-of-b.patch
patches.kernel.org/5.1.3-024-packet-Fix-error-path-in-packet_init.patch
+ patches.kernel.org/5.1.3-025-selinux-do-not-report-error-on-connect-AF_UNSPE.patch
########################################################
# Build fixes that apply to the vanilla kernel too.