|
|
@@ -4475,27 +4475,14 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
|
|
|
* from the sending socket, otherwise use the kernel's sid */
|
|
|
sk = skb->sk;
|
|
|
if (sk == NULL) {
|
|
|
- switch (family) {
|
|
|
- case PF_INET:
|
|
|
- if (IPCB(skb)->flags & IPSKB_FORWARDED)
|
|
|
- secmark_perm = PACKET__FORWARD_OUT;
|
|
|
- else
|
|
|
- secmark_perm = PACKET__SEND;
|
|
|
- break;
|
|
|
- case PF_INET6:
|
|
|
- if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
|
|
|
- secmark_perm = PACKET__FORWARD_OUT;
|
|
|
- else
|
|
|
- secmark_perm = PACKET__SEND;
|
|
|
- break;
|
|
|
- default:
|
|
|
- return NF_DROP_ERR(-ECONNREFUSED);
|
|
|
- }
|
|
|
- if (secmark_perm == PACKET__FORWARD_OUT) {
|
|
|
+ if (skb->skb_iif) {
|
|
|
+ secmark_perm = PACKET__FORWARD_OUT;
|
|
|
if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
|
|
|
return NF_DROP;
|
|
|
- } else
|
|
|
+ } else {
|
|
|
+ secmark_perm = PACKET__SEND;
|
|
|
peer_sid = SECINITSID_KERNEL;
|
|
|
+ }
|
|
|
} else {
|
|
|
struct sk_security_struct *sksec = sk->sk_security;
|
|
|
peer_sid = sksec->sid;
|
Steffen Klassert