diff options
author | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:31 -0400 |
---|---|---|
committer | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:31 -0400 |
commit | dfaebe9825ff34983778f287101bc5f3bce00640 (patch) | |
tree | 4dccdcdcecd57fc8bfc083ff30d9e0ecb2e7ecba /security/selinux/netlabel.c | |
parent | 99d854d231ce141850b988bdc7e2e7c78f49b03a (diff) | |
download | talos-op-linux-dfaebe9825ff34983778f287101bc5f3bce00640.tar.gz talos-op-linux-dfaebe9825ff34983778f287101bc5f3bce00640.zip |
selinux: Fix missing calls to netlbl_skbuff_err()
At some point I think I messed up and dropped the calls to netlbl_skbuff_err()
which are necessary for CIPSO to send error notifications to remote systems.
This patch re-introduces the error handling calls into the SELinux code.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/netlabel.c')
-rw-r--r-- | security/selinux/netlabel.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index b9ce5fcf3432..4053f7fc95fb 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -108,6 +108,24 @@ void selinux_netlbl_cache_invalidate(void) } /** + * selinux_netlbl_err - Handle a NetLabel packet error + * @skb: the packet + * @error: the error code + * @gateway: true if host is acting as a gateway, false otherwise + * + * Description: + * When a packet is dropped due to a call to avc_has_perm() pass the error + * code to the NetLabel subsystem so any protocol specific processing can be + * done. This is safe to call even if you are unsure if NetLabel labeling is + * present on the packet, NetLabel is smart enough to only act when it should. + * + */ +void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway) +{ + netlbl_skbuff_err(skb, error, gateway); +} + +/** * selinux_netlbl_sk_security_reset - Reset the NetLabel fields * @ssec: the sk_security_struct * @family: the socket family @@ -289,7 +307,7 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, return 0; if (nlbl_sid != SECINITSID_UNLABELED) - netlbl_skbuff_err(skb, rc); + netlbl_skbuff_err(skb, rc, 0); return rc; } |