From: James Morris <jmorris@redhat.com>

This patch fixes a bug where the return value for a permission call is not 
checked.

The bug was introduced when I added some code in the following changeset:

<http://linux.bkbits.net:8080/linux-2.5/diffs/security/selinux/hooks.c@1.19?nav=index.html|src/|src/security|src/security/selinux|hist/security/selinux/hooks.c>

Code was added after this line:

	err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad);

without adding an explicit check of 'err', which was previously returned 
from the function rather than being checked.  i.e. it would drop through 
to:

	out:	
 		return err;

 	}

With the new code added, err can (and typically would) be overwritten with 
a successful value, causing the permission check to not deny permission if 
needed.  The intended denial would have been logged.

The patch below fixes this problem.


---

 25-akpm/security/selinux/hooks.c |    2 ++
 1 files changed, 2 insertions(+)

diff -puN security/selinux/hooks.c~selinux-permission-retval-fix security/selinux/hooks.c
--- 25/security/selinux/hooks.c~selinux-permission-retval-fix	Thu Mar 25 14:20:07 2004
+++ 25-akpm/security/selinux/hooks.c	Thu Mar 25 14:20:07 2004
@@ -3040,6 +3040,8 @@ static int selinux_socket_sock_rcv_skb(s
 		goto out;
 	
 	err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad);
+	if (err)
+		goto out;
 
 	if (recv_perm) {
 		u32 port_sid;

_