[PATCH] selinux: check return value for receive node permission

From: James Morris <jmorris@redhat.com>

This patch fixes a bug where the return value for a permission call is not 
checked.

The bug was introduced when I added some code in the following changeset:

<http://linux.bkbits.net:8080/linux-2.5/diffs/security/selinux/hooks.c@1.19?nav=index.html|src/|src/security|src/security/selinux|hist/security/selinux/hooks.c>

Code was added after this line:

	err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad);

without adding an explicit check of 'err', which was previously returned
from the function rather than being checked.  i.e. it would drop through
to:

	out:	
 		return err;

 	}

With the new code added, err can (and typically would) be overwritten with 
a successful value, causing the permission check to not deny permission if 
needed.  The intended denial would have been logged.

The patch below fixes this problem.

security/selinux/hooks.c

@@ -3039,6 +3039,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 		goto out;
 	
 	err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad);
+	if (err)
+		goto out;
 
 	if (recv_perm) {
 		u32 port_sid;