selinux: correct return values in selinux_socket_getpeersec_dgram()

Instead of returning -EINVAL if any type of error occurs, limit
-EINVAL to only those errors caused by passing a bad/invalid socket
or packet/skb.  In other cases where everything is correct but there
isn't a valid peer label we return -ENOPROTOOPT.

This helps make selinux_socket_getpeersec_dgram() more consistent
with selinux_socket_getpeersec_stream().

Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 48ae90327fa4e3d09957d6626dab0c636982068d..630ada3d208c84fb8a1c997c6da63300ac65292f 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5193,11 +5193,11 @@ out_len:
        return err;
 }
 
-static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+static int selinux_socket_getpeersec_dgram(struct socket *sock,
+                                          struct sk_buff *skb, u32 *secid)
 {
        u32 peer_secid = SECSID_NULL;
        u16 family;
-       struct inode_security_struct *isec;
 
        if (skb && skb->protocol == htons(ETH_P_IP))
                family = PF_INET;
@@ -5205,19 +5205,21 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
                family = PF_INET6;
        else if (sock)
                family = sock->sk->sk_family;
-       else
-               goto out;
+       else {
+               *secid = SECSID_NULL;
+               return -EINVAL;
+       }
 
        if (sock && family == PF_UNIX) {
+               struct inode_security_struct *isec;
                isec = inode_security_novalidate(SOCK_INODE(sock));
                peer_secid = isec->sid;
        } else if (skb)
                selinux_skb_peerlbl_sid(skb, family, &peer_secid);
 
-out:
        *secid = peer_secid;
        if (peer_secid == SECSID_NULL)
-               return -EINVAL;
+               return -ENOPROTOOPT;
        return 0;
 }