• S
    selinux: do not check open permission on sockets · ccb54478
    Stephen Smalley 提交于
    open permission is currently only defined for files in the kernel
    (COMMON_FILE_PERMS rather than COMMON_FILE_SOCK_PERMS). Construction of
    an artificial test case that tries to open a socket via /proc/pid/fd will
    generate a recvfrom avc denial because recvfrom and open happen to map to
    the same permission bit in socket vs file classes.
    
    open of a socket via /proc/pid/fd is not supported by the kernel regardless
    and will ultimately return ENXIO. But we hit the permission check first and
    can thus produce these odd/misleading denials.  Omit the open check when
    operating on a socket.
    Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
    Signed-off-by: NPaul Moore <paul@paul-moore.com>
    ccb54478
hooks.c 164.7 KB