diff options
author | Andrew Morton <akpm@osdl.org> | 2004-02-15 18:06:53 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@home.osdl.org> | 2004-02-15 18:06:53 -0800 |
commit | b01d7ca34aa35fa2b1b57693cc13ab7ba7bd5b3f (patch) | |
tree | 213eb03a7bfcbebe144e2668771ce7b865609597 /security | |
parent | e76445c88353f558aa49c4f52b4d0a713959eef8 (diff) | |
download | history-b01d7ca34aa35fa2b1b57693cc13ab7ba7bd5b3f.tar.gz |
[PATCH] SELinux: Fix error handling bug.
From: James Morris <jmorris@redhat.com>
The patch below fixes an error handling flaw, where we need to return a
Netfilter verdict from the function rather than a standard error code.
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index aa07acdf37a213..8c0ea6a4ee3fb7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3179,8 +3179,9 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum, /* Fixme: this lookup is inefficient */ iph = skb->nh.iph; - err = security_node_sid(PF_INET, &iph->daddr, sizeof(iph->daddr), &node_sid); - if (err) + err = security_node_sid(PF_INET, &iph->daddr, sizeof(iph->daddr), + &node_sid) ? NF_DROP : NF_ACCEPT; + if (err != NF_ACCEPT) goto out; err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, |