diff mbox series

[RFC] selinux: Fix SCTP error inconsistency in selinux_socket_bind()

Message ID 20241112145203.2053193-1-ivanov.mikhail1@huawei-partners.com (mailing list archive)
State New
Headers show
Series [RFC] selinux: Fix SCTP error inconsistency in selinux_socket_bind() | expand

Commit Message

Mikhail Ivanov Nov. 12, 2024, 2:52 p.m. UTC 
Check sk->sk_protocol instead of security class to recognize SCTP socket.
SCTP socket is initialized with SECCLASS_SOCKET class if policy does not
support EXTSOCKCLASS capability. In this case bind(2) hook wrongfully
return EAFNOSUPPORT instead of EINVAL.

The inconsistency was detected with help of Landlock tests:
https://lore.kernel.org/all/b58680ca-81b2-7222-7287-0ac7f4227c3c@huawei-partners.com/

Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()")
Signed-off-by: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>
---
 security/selinux/hooks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


base-commit: d7b6918e22c74f2b354d8dc0ef31ab17ae334b93
diff mbox series

Patch

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ad3abd48eed1..15e31299a833 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4828,7 +4828,7 @@  static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
 	return err;
 err_af:
 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
-	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
+	if (sk->sk_protocol == IPPROTO_SCTP)
 		return -EINVAL;
 	return -EAFNOSUPPORT;
 }