SELinux: restore proper NetLabel caching behavior

A small fix to the SELinux/NetLabel glue code to ensure that the NetLabel
cache is utilized when possible.  This was broken when the SELinux/NetLabel
glue code was reorganized in the last kernel release.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 12 insertions, 4 deletions

diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 051b14c88e2..d243ddc723a 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -162,9 +162,13 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
 
 	netlbl_secattr_init(&secattr);
 	rc = netlbl_skbuff_getattr(skb, &secattr);
-	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
+	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) {
 		rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
-	else
+		if (rc == 0 &&
+		    (secattr.flags & NETLBL_SECATTR_CACHEABLE) &&
+		    (secattr.flags & NETLBL_SECATTR_CACHE))
+			netlbl_cache_add(skb, &secattr);
+	} else
 		*sid = SECSID_NULL;
 	netlbl_secattr_destroy(&secattr);
 
@@ -307,11 +311,15 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 
 	netlbl_secattr_init(&secattr);
 	rc = netlbl_skbuff_getattr(skb, &secattr);
-	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
+	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) {
 		rc = security_netlbl_secattr_to_sid(&secattr,
 						    SECINITSID_NETMSG,
 						    &nlbl_sid);
-	else
+		if (rc == 0 &&
+		    (secattr.flags & NETLBL_SECATTR_CACHEABLE) &&
+		    (secattr.flags & NETLBL_SECATTR_CACHE))
+			netlbl_cache_add(skb, &secattr);
+	} else
 		nlbl_sid = SECINITSID_UNLABELED;
 	netlbl_secattr_destroy(&secattr);
 	if (rc != 0)