linux_old1/security
Paul Moore 09c50b4a52 selinux: Fix the NetLabel glue code for setsockopt()
At some point we (okay, I) managed to break the ability for users to use the
setsockopt() syscall to set IPv4 options when NetLabel was not active on the
socket in question.  The problem was noticed by someone trying to use the
"-R" (record route) option of ping:

 # ping -R 10.0.0.1
 ping: record route: No message of desired type

The solution is relatively simple, we catch the unlabeled socket case and
clear the error code, allowing the operation to succeed.  Please note that we
still deny users the ability to override IPv4 options on socket's which have
NetLabel labeling active; this is done to ensure the labeling remains intact.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
2009-02-23 10:05:55 +11:00
..
keys security: introduce missing kfree 2009-01-17 14:24:46 -08:00
selinux selinux: Fix the NetLabel glue code for setsockopt() 2009-02-23 10:05:55 +11:00
smack smackfs load append mode fix 2009-01-27 20:13:32 -08:00
Kconfig introduce new LSM hooks where vfsmount is available. 2008-12-31 18:07:37 -05:00
Makefile securityfs: do not depend on CONFIG_SECURITY 2008-08-28 10:47:42 +10:00
capability.c Revert "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]" 2009-01-07 09:21:54 +11:00
commoncap.c Merge branch 'next' into for-linus 2009-01-07 09:58:22 +11:00
device_cgroup.c devices cgroup: allow mkfifo 2009-01-08 08:31:03 -08:00
inode.c zero i_uid/i_gid on inode allocation 2009-01-05 11:54:28 -05:00
root_plug.c Revert "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]" 2009-01-07 09:21:54 +11:00
security.c Merge branch 'next' into for-linus 2009-01-07 09:58:22 +11:00