Commit 1f440c99 authored by Huw Davies's avatar Huw Davies Committed by Paul Moore

netlabel: Prevent setsockopt() from changing the hop-by-hop option.

If a socket has a netlabel in place then don't let setsockopt() alter
the socket's IPv6 hop-by-hop option.  This is in the same spirit as
the existing check for IPv4.
Signed-off-by: default avatarHuw Davies <huw@codeweavers.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent ceba1832
...@@ -409,6 +409,21 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, ...@@ -409,6 +409,21 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
return rc; return rc;
} }
/**
* selinux_netlbl_option - Is this a NetLabel option
* @level: the socket level or protocol
* @optname: the socket option name
*
* Description:
* Returns true if @level and @optname refer to a NetLabel option.
* Helper for selinux_netlbl_socket_setsockopt().
*/
static inline int selinux_netlbl_option(int level, int optname)
{
return (level == IPPROTO_IP && optname == IP_OPTIONS) ||
(level == IPPROTO_IPV6 && optname == IPV6_HOPOPTS);
}
/** /**
* selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
* @sock: the socket * @sock: the socket
...@@ -431,7 +446,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock, ...@@ -431,7 +446,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
struct sk_security_struct *sksec = sk->sk_security; struct sk_security_struct *sksec = sk->sk_security;
struct netlbl_lsm_secattr secattr; struct netlbl_lsm_secattr secattr;
if (level == IPPROTO_IP && optname == IP_OPTIONS && if (selinux_netlbl_option(level, optname) &&
(sksec->nlbl_state == NLBL_LABELED || (sksec->nlbl_state == NLBL_LABELED ||
sksec->nlbl_state == NLBL_CONNLABELED)) { sksec->nlbl_state == NLBL_CONNLABELED)) {
netlbl_secattr_init(&secattr); netlbl_secattr_init(&secattr);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment