SELinux: do not check open perms if they are not known to policy

When I introduced open perms policy didn't understand them and I implemented them as a policycap. When I added the checking of open perm to truncate I forgot to conditionalize it on the userspace defined policy capability. Running an old policy with a new kernel will not check open on open(2) but will check it on truncate. Conditionalize the truncate check the same as the open check. Signed-off-by: N Eric Paris <eparis@redhat.com> Cc: stable@vger.kernel.org # 3.4.x Signed-off-by: N James Morris <james.l.morris@oracle.com>

SELinux: do not check open perms if they are not known to policy
When I introduced open perms policy didn't understand them and I implemented them as a policycap. When I added the checking of open perm to truncate I forgot to conditionalize it on the userspace defined policy capability. Running an old policy with a new kernel will not check open on open(2) but will check it on truncate. Conditionalize the truncate check the same as the open check. Signed-off-by: N Eric Paris <eparis@redhat.com> Cc: stable@vger.kernel.org # 3.4.x Signed-off-by: N James Morris <james.l.morris@oracle.com>
3d2195c3 · Eric Paris · James Morris · 64919e60 · 3d2195c3
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

security/selinux/hooks.c security/selinux/hooks.c +1 -1

未找到文件。
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2717,7 +2717,7 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
 		return dentry_has_perm(cred, dentry, FILE__SETATTR);

-	if (ia_valid & ATTR_SIZE)
+	if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
 		av |= FILE__OPEN;

 	return dentry_has_perm(cred, dentry, av);