On Tue, 2017-10-31 at 15:16 -0200, Marcelo Ricardo Leitner wrote:

On Tue, Oct 17, 2017 at 02:59:53PM +0100, Richard Haines wrote:

quoted

The SELinux SCTP implementation is explained in:
Documentation/security/SELinux-sctp.txt

Signed-off-by: Richard Haines <redacted>
---

...

quoted

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 33fd061..c3e9600 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

...

quoted

@@ -4521,7 +4565,14 @@ static int selinux_socket_connect(struct

socket *sock, struct sockaddr *address,
 		unsigned short snum;
 		u32 sid, perm;
 
-		if (sk->sk_family == PF_INET) {
+		/* sctp_connectx(3) calls via
+		 *selinux_sctp_bind_connect() that validates
multiple
+		 * connect addresses. Because of this need to
check
+		 * address->sa_family as it is possible to have
+		 * sk->sk_family = PF_INET6 with addr->sa_family =
AF_INET.
+		 */
+		if (sk->sk_family == PF_INET ||
+					address->sa_family ==
AF_INET) {

Not sure which code style applies on this file but the if () above
looks odd. At least, checkpatch.pl complained about it.

Changed to read:
		if (sk->sk_family == PF_INET ||
		    address->sa_family == AF_INET) {

  Marcelo
--
To unsubscribe from this list: send the line "unsubscribe linux-
security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html