net: add skb_to_full_sk() helper and use it in selinux_netlbl_skbuff_setsid()
Generalize selinux_skb_sk() added in commit 212cd0895330
("selinux: fix random read in selinux_ip_postroute_compat()")
so that we can use it other contexts.
Use it right away in selinux_netlbl_skbuff_setsid()
Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c9b2d54..23307da 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4931,23 +4931,11 @@
return selinux_ip_output(skb, PF_INET);
}
-/* SYNACK messages might be attached to request sockets.
- * To get back to sk_security, we need to look at the listener.
- */
-static struct sock *selinux_skb_sk(const struct sk_buff *skb)
-{
- struct sock *sk = skb->sk;
-
- if (sk && sk->sk_state == TCP_NEW_SYN_RECV)
- sk = inet_reqsk(sk)->rsk_listener;
- return sk;
-}
-
static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
int ifindex,
u16 family)
{
- struct sock *sk = selinux_skb_sk(skb);
+ struct sock *sk = skb_to_full_sk(skb);
struct sk_security_struct *sksec;
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -5002,7 +4990,7 @@
if (!secmark_active && !peerlbl_active)
return NF_ACCEPT;
- sk = selinux_skb_sk(skb);
+ sk = skb_to_full_sk(skb);
#ifdef CONFIG_XFRM
/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec