diff options
| author | Ondrej Mosnacek <omosnace@redhat.com> | 2024-01-26 19:45:31 +0100 |
|---|---|---|
| committer | Sasha Levin <sashal@kernel.org> | 2024-03-15 10:48:20 -0400 |
| commit | c09ffff246cab96cc35eb40b3faf849b7cfa3ae0 (patch) | |
| tree | 35c92831c55305136c4eb7fb1ec95e9756dc6b11 /security | |
| parent | ea6e87db9037f285b3d3d269bb405e0e8dd15d34 (diff) | |
lsm: fix default return value of the socket_getpeersec_*() hooks
[ Upstream commit 5a287d3d2b9de2b3e747132c615599907ba5c3c1 ]
For these hooks the true "neutral" value is -EOPNOTSUPP, which is
currently what is returned when no LSM provides this hook and what LSMs
return when there is no security context set on the socket. Correct the
value in <linux/lsm_hooks.h> and adjust the dispatch functions in
security/security.c to avoid issues when the BPF LSM is enabled.
Cc: stable@vger.kernel.org
Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/security.c | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/security/security.c b/security/security.c index e9dcde3c4f14..0bbcb100ba8e 100644 --- a/security/security.c +++ b/security/security.c @@ -2227,14 +2227,37 @@ EXPORT_SYMBOL(security_sock_rcv_skb); int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval, sockptr_t optlen, unsigned int len) { - return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock, - optval, optlen, len); + struct security_hook_list *hp; + int rc; + + /* + * Only one module will provide a security context. + */ + hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_stream, + list) { + rc = hp->hook.socket_getpeersec_stream(sock, optval, optlen, + len); + if (rc != LSM_RET_DEFAULT(socket_getpeersec_stream)) + return rc; + } + return LSM_RET_DEFAULT(socket_getpeersec_stream); } int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) { - return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, - skb, secid); + struct security_hook_list *hp; + int rc; + + /* + * Only one module will provide a security context. + */ + hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram, + list) { + rc = hp->hook.socket_getpeersec_dgram(sock, skb, secid); + if (rc != LSM_RET_DEFAULT(socket_getpeersec_dgram)) + return rc; + } + return LSM_RET_DEFAULT(socket_getpeersec_dgram); } EXPORT_SYMBOL(security_socket_getpeersec_dgram); |