SELinux: Use unknown perm handling to handle unknown netlink msg types

Currently when SELinux has not been updated to handle a netlink message type the operation is denied with EINVAL. This patch will leave the audit/warning message so things get fixed but if policy chose to allow unknowns this will allow the netlink operation. Signed-off-by: N Eric Paris <eparis@redhat.com> Acked-by: N Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: N James Morris <jmorris@namei.org>

SELinux: Use unknown perm handling to handle unknown netlink msg types
Currently when SELinux has not been updated to handle a netlink message type the operation is denied with EINVAL. This patch will leave the audit/warning message so things get fixed but if policy chose to allow unknowns this will allow the netlink operation. Signed-off-by: N Eric Paris <eparis@redhat.com> Acked-by: N Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: N James Morris <jmorris@namei.org>
39c9aede · Eric Paris · James Morris · 1f29fae2 · 39c9aede
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

security/selinux/hooks.c security/selinux/hooks.c +1 -1

未找到文件。
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4395,7 +4395,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
 				  "SELinux:  unrecognized netlink message"
 				  " type=%hu for sclass=%hu\n",
 				  nlh->nlmsg_type, isec->sclass);
-			if (!selinux_enforcing)
+			if (!selinux_enforcing || security_get_allow_unknown())
 				err = 0;
 		}