queue-5.1/selinux-do-not-report-error-on-connect-af_unspec.patch

   1 From foo@baz Wed 15 May 2019 07:51:30 AM CEST
   2 From: Paolo Abeni <pabeni@redhat.com>
   3 Date: Wed, 8 May 2019 15:32:51 +0200
   4 Subject: selinux: do not report error on connect(AF_UNSPEC)
   5
   6 From: Paolo Abeni <pabeni@redhat.com>
   7
   8 [ Upstream commit c7e0d6cca86581092cbbf2cd868b3601495554cf ]
   9
  10 calling connect(AF_UNSPEC) on an already connected TCP socket is an
  11 established way to disconnect() such socket. After commit 68741a8adab9
  12 ("selinux: Fix ltp test connect-syscall failure") it no longer works
  13 and, in the above scenario connect() fails with EAFNOSUPPORT.
  14
  15 Fix the above falling back to the generic/old code when the address family
  16 is not AF_INET{4,6}, but leave the SCTP code path untouched, as it has
  17 specific constraints.
  18
  19 Fixes: 68741a8adab9 ("selinux: Fix ltp test connect-syscall failure")
  20 Reported-by: Tom Deseyn <tdeseyn@redhat.com>
  21 Signed-off-by: Paolo Abeni <pabeni@redhat.com>
  22 Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
  23 Signed-off-by: David S. Miller <davem@davemloft.net>
  24 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  25 ---
  26  security/selinux/hooks.c |    8 ++++----
  27  1 file changed, 4 insertions(+), 4 deletions(-)
  28
  29 --- a/security/selinux/hooks.c
  30 +++ b/security/selinux/hooks.c
  31 @@ -4572,7 +4572,7 @@ static int selinux_socket_connect_helper
  32                 struct lsm_network_audit net = {0,};
  33                 struct sockaddr_in *addr4 = NULL;
  34                 struct sockaddr_in6 *addr6 = NULL;
  35 -               unsigned short snum;
  36 +               unsigned short snum = 0;
  37                 u32 sid, perm;
  38
  39                 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
  40 @@ -4595,12 +4595,12 @@ static int selinux_socket_connect_helper
  41                         break;
  42                 default:
  43                         /* Note that SCTP services expect -EINVAL, whereas
  44 -                        * others expect -EAFNOSUPPORT.
  45 +                        * others must handle this at the protocol level:
  46 +                        * connect(AF_UNSPEC) on a connected socket is
  47 +                        * a documented way disconnect the socket.
  48                          */
  49                         if (sksec->sclass == SECCLASS_SCTP_SOCKET)
  50                                 return -EINVAL;
  51 -                       else
  52 -                               return -EAFNOSUPPORT;
  53                 }
  54
  55                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);