diff options
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 23 | 
1 files changed, 5 insertions, 18 deletions
| diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b4e1ca021fc..8ffed9f2004 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4475,27 +4475,14 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,  	 * from the sending socket, otherwise use the kernel's sid */  	sk = skb->sk;  	if (sk == NULL) { -		switch (family) { -		case PF_INET: -			if (IPCB(skb)->flags & IPSKB_FORWARDED) -				secmark_perm = PACKET__FORWARD_OUT; -			else -				secmark_perm = PACKET__SEND; -			break; -		case PF_INET6: -			if (IP6CB(skb)->flags & IP6SKB_FORWARDED) -				secmark_perm = PACKET__FORWARD_OUT; -			else -				secmark_perm = PACKET__SEND; -			break; -		default: -			return NF_DROP_ERR(-ECONNREFUSED); -		} -		if (secmark_perm == PACKET__FORWARD_OUT) { +		if (skb->skb_iif) { +			secmark_perm = PACKET__FORWARD_OUT;  			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))  				return NF_DROP; -		} else +		} else { +			secmark_perm = PACKET__SEND;  			peer_sid = SECINITSID_KERNEL; +		}  	} else {  		struct sk_security_struct *sksec = sk->sk_security;  		peer_sid = sksec->sid; | 
