[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: [PATCH 59/73] libselinux: take security_deny_unknown into account
From: Daniel J Walsh <dwalsh () redhat ! com>
Date: 2012-03-27 15:37:11
Message-ID: 4F71DEA7.60101 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9x3qcACgkQrlYvE4MpobPMHQCfQNYb92qZUhdHdqixuvci1j7k
x38An0SShIol3KqjISaujnpn1gZa7fhA
=B990
-----END PGP SIGNATURE-----
["0059-libselinux-take-security_deny_unknown-into-account.patch" (text/x-patch)]
From 7e8b5ab25797271cd3eb45f4dc14dc4be0f15d6d Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 16 Mar 2012 11:05:17 -0400
Subject: [PATCH 59/73] libselinux: take security_deny_unknown into account
selinux_check_access() should not error on bad class or perms if the
security_deny_unkown() function return false. If policy tells us to
allow unknown classes and perms we should respect that.
Signed-off-by: Eric Paris <eparis@redhat.com>
---
libselinux/src/checkAccess.c | 40 +++++++++++++++++++++++++++++-----------
1 file changed, 29 insertions(+), 11 deletions(-)
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index 59c8abb..aaebb94 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -1,3 +1,4 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
@@ -15,8 +16,7 @@ static void avc_init_once(void)
}
int selinux_check_access(const security_context_t scon, const security_context_t \
tcon, const char *class, const char *perm, void *aux) {
- int status = -1;
- int rc = -1;
+ int rc;
security_id_t scon_id;
security_id_t tcon_id;
security_class_t sclass;
@@ -27,15 +27,33 @@ int selinux_check_access(const security_context_t scon, const \
security_context_t
__selinux_once(once, avc_init_once);
- if ((rc = avc_context_to_sid(scon, &scon_id)) < 0) return rc;
-
- if ((rc = avc_context_to_sid(tcon, &tcon_id)) < 0) return rc;
-
- if ((sclass = string_to_security_class(class)) == 0) return status;
-
- if ((av = string_to_av_perm(sclass, perm)) == 0) return status;
-
- return avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux);
+ rc = avc_context_to_sid(scon, &scon_id);
+ if (rc < 0)
+ return rc;
+
+ rc = avc_context_to_sid(tcon, &tcon_id);
+ if (rc < 0)
+ return rc;
+
+ sclass = string_to_security_class(class);
+ if (sclass == 0) {
+ rc = errno;
+ if (security_deny_unknown() == 0)
+ return 0;
+ errno = rc;
+ return -1;
+ }
+
+ av = string_to_av_perm(sclass, perm);
+ if (av == 0) {
+ rc = errno;
+ if (security_deny_unknown() == 0)
+ return 0;
+ errno = rc;
+ return -1;
+ }
+
+ return avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux);
}
int selinux_check_passwd_access(access_vector_t requested)
--
1.7.9.3
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic