---

yaml --- r: 80895 b: refs/heads/master c: 71f1cb0 h: refs/heads/master i: 80893: 6ce676f 80891: 644d226 80887: 6a9bf82 80879: 6b1f93e 80863: 3cbc760 80831: 1965621 80767: e8ec969 80639: 4ec94cc 80383: e13e23c 79871: 60968cb v: v3
git-mirror · Jan 29, 2008 · 8751fd4 · 8751fd4
1 parent 648a589
commit 8751fd4
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 9 deletions.
diff --git a/[refs] b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: effad8df44261031a882e1a895415f7186a5098e
+refs/heads/master: 71f1cb05f773661b6fa98c7a635d7a395cd9c55d
diff --git a/trunk/security/selinux/hooks.c b/trunk/security/selinux/hooks.c
@@ -3443,6 +3443,11 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
 		break;
 	}
 
+	if (unlikely(ret))
+		printk(KERN_WARNING
+		       "SELinux: failure in selinux_parse_skb(),"
+		       " unable to parse packet\n");
+
 	return ret;
 }
 
@@ -3463,17 +3468,21 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
  */
 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
 {
+	int err;
 	u32 xfrm_sid;
 	u32 nlbl_sid;
 	u32 nlbl_type;
 
 	selinux_skb_xfrm_sid(skb, &xfrm_sid);
 	selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
 
-	if (security_net_peersid_resolve(nlbl_sid, nlbl_type,
-					 xfrm_sid,
-					 sid) != 0)
+	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
+	if (unlikely(err)) {
+		printk(KERN_WARNING
+		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
+		       " unable to determine packet's peer label\n");
 		return -EACCES;
+	}
 
 	return 0;
 }
@@ -3925,8 +3934,13 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
 	err = security_port_sid(sk->sk_family, sk->sk_type,
 				sk->sk_protocol, ntohs(ad->u.net.sport),
 				&port_sid);
-	if (err)
+	if (unlikely(err)) {
+		printk(KERN_WARNING
+		       "SELinux: failure in"
+		       " selinux_sock_rcv_skb_iptables_compat(),"
+		       " network port label not found\n");
 		return err;
+	}
 	return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
 }
 
@@ -4343,8 +4357,13 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
 	err = security_port_sid(sk->sk_family, sk->sk_type,
 				sk->sk_protocol, ntohs(ad->u.net.dport),
 				&port_sid);
-	if (err)
+	if (unlikely(err)) {
+		printk(KERN_WARNING
+		       "SELinux: failure in"
+		       " selinux_ip_postroute_iptables_compat(),"
+		       " network port label not found\n");
 		return err;
+	}
 	return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
 }
 

diff --git a/trunk/security/selinux/netif.c b/trunk/security/selinux/netif.c
@@ -157,8 +157,12 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
 	 * currently support containers */
 
 	dev = dev_get_by_index(&init_net, ifindex);
-	if (dev == NULL)
+	if (unlikely(dev == NULL)) {
+		printk(KERN_WARNING
+		       "SELinux: failure in sel_netif_sid_slow(),"
+		       " invalid network interface (%d)\n", ifindex);
 		return -ENOENT;
+	}
 
 	spin_lock_bh(&sel_netif_lock);
 	netif = sel_netif_find(ifindex);
@@ -184,8 +188,13 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
 out:
 	spin_unlock_bh(&sel_netif_lock);
 	dev_put(dev);
-	if (ret != 0)
+	if (unlikely(ret)) {
+		printk(KERN_WARNING
+		       "SELinux: failure in sel_netif_sid_slow(),"
+		       " unable to determine network interface label (%d)\n",
+		       ifindex);
 		kfree(new);
+	}
 	return ret;
 }
 

diff --git a/trunk/security/selinux/netnode.c b/trunk/security/selinux/netnode.c
@@ -264,8 +264,12 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
 
 out:
 	spin_unlock_bh(&sel_netnode_lock);
-	if (ret != 0)
+	if (unlikely(ret)) {
+		printk(KERN_WARNING
+		       "SELinux: failure in sel_netnode_sid_slow(),"
+		       " unable to determine network node label\n");
 		kfree(new);
+	}
 	return ret;
 }