SELinux: Only return netlink error when we know the return is fatal

Some of the SELinux netlink code returns a fatal error when the error might actually be transient. This patch just silently drops packets on potentially transient errors but continues to return a permanant error indicator when the denial was because of policy. Based-on-comments-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>

SELinux: Only return netlink error when we know the return is fatal
Some of the SELinux netlink code returns a fatal error when the error might actually be transient. This patch just silently drops packets on potentially transient errors but continues to return a permanant error indicator when the denial was because of policy. Based-on-comments-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
04f6d70f · Eric Paris · David S. Miller · eb06acdc · 04f6d70f
Commit 04f6d70f authored Nov 23, 2010 by Eric Paris Committed by David S. Miller Nov 23, 2010
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

security/selinux/hooks.c security/selinux/hooks.c +4 -4

No files found.
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4589,7 +4589,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
 		}
 		if (secmark_perm == PACKET__FORWARD_OUT) {
 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
-				return NF_DROP_ERR(-ECONNREFUSED);
+				return NF_DROP;
 		} else
 			peer_sid = SECINITSID_KERNEL;
 	} else {
@@ -4602,7 +4602,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
 	ad.u.net.netif = ifindex;
 	ad.u.net.family = family;
 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
-		return NF_DROP_ERR(-ECONNREFUSED);
+		return NF_DROP;

 	if (secmark_active)
 		if (avc_has_perm(peer_sid, skb->secmark,
@@ -4614,13 +4614,13 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
 		u32 node_sid;

 		if (sel_netif_sid(ifindex, &if_sid))
-			return NF_DROP_ERR(-ECONNREFUSED);
+			return NF_DROP;
 		if (avc_has_perm(peer_sid, if_sid,
 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
 			return NF_DROP_ERR(-ECONNREFUSED);

 		if (sel_netnode_sid(addrp, family, &node_sid))
-			return NF_DROP_ERR(-ECONNREFUSED);
+			return NF_DROP;
 		if (avc_has_perm(peer_sid, node_sid,
 				 SECCLASS_NODE, NODE__SENDTO, &ad))
 			return NF_DROP_ERR(-ECONNREFUSED);