selinux: Fix SCTP error inconsistency in selinux_socket_bind()

sm1ling-knight · pcmoore · commit 034294fbfdf0 · 2024-12-11T14:57:47.000-05:00
Check sk->sk_protocol instead of security class to recognize SCTP socket. SCTP socket is initialized with SECCLASS_SOCKET class if policy does not support EXTSOCKCLASS capability. In this case bind(2) hook wrongfully return EAFNOSUPPORT instead of EINVAL. The inconsistency was detected with help of Landlock tests: https://lore.kernel.org/all/b58680ca-81b2-7222-7287-0ac7f4227c3c@huawei-partners.com/ Fixes: 0f8db8c ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()") Signed-off-by: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
@@ -4835,7 +4835,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
 	return err;
 err_af:
 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
-	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
+	if (sk->sk_protocol == IPPROTO_SCTP)
 		return -EINVAL;
 	return -EAFNOSUPPORT;
 }

Original file line number	Diff line number	Diff line change
`@@ -4835,7 +4835,7 @@ static int selinux_socket_bind(struct socket sock, struct sockaddr address, in`
`4835`	`4835`	`return err;`
`4836`	`4836`	`err_af:`
`4837`	`4837`	`/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */`
`4838`		`- if (sksec->sclass == SECCLASS_SCTP_SOCKET)`
	`4838`	`+ if (sk->sk_protocol == IPPROTO_SCTP)`
`4839`	`4839`	`return -EINVAL;`
`4840`	`4840`	`return -EAFNOSUPPORT;`
`4841`	`4841`	`}`