commit e6dca1fd3c713eaf69ff16fb23c6dc683082a2f8 Author: Ondrej Mosnacek Date: Tue Feb 6 15:39:21 2024 +0100 TEST diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 55c78c318ccd..a5db62130d41 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1292,7 +1292,7 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc case PF_QIPCRTR: return SECCLASS_QIPCRTR_SOCKET; case PF_SMC: - return SECCLASS_SMC_SOCKET; + return SECCLASS_TCP_SOCKET; case PF_XDP: return SECCLASS_XDP_SOCKET; case PF_MCTP: @@ -4772,6 +4772,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in } } + // FIXME: do the same here switch (sksec->sclass) { case SECCLASS_TCP_SOCKET: node_perm = TCP_SOCKET__NODE_BIND; @@ -4852,6 +4853,7 @@ static int selinux_socket_connect_helper(struct socket *sock, struct sockaddr_in6 *addr6 = NULL; unsigned short snum; u32 sid, perm; + u8 protocol; /* sctp_connectx(3) calls via selinux_sctp_bind_connect() * that validates multiple connect addresses. Because of this @@ -4881,22 +4883,25 @@ static int selinux_socket_connect_helper(struct socket *sock, return -EAFNOSUPPORT; } - err = sel_netport_sid(sk->sk_protocol, snum, &sid); - if (err) - return err; - switch (sksec->sclass) { case SECCLASS_TCP_SOCKET: + protocol = IPPROTO_TCP; perm = TCP_SOCKET__NAME_CONNECT; break; case SECCLASS_DCCP_SOCKET: + protocol = IPPROTO_DCCP; perm = DCCP_SOCKET__NAME_CONNECT; break; case SECCLASS_SCTP_SOCKET: + protocol = IPPROTO_SCTP; perm = SCTP_SOCKET__NAME_CONNECT; break; } + err = sel_netport_sid(protocol, snum, &sid); + if (err) + return err; + ad.type = LSM_AUDIT_DATA_NET; ad.u.net = &net; ad.u.net->dport = htons(snum);