[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: [PATCH] selinux: fix bug in conditional rules handling
From: Paul Moore <paul () paul-moore ! com>
Date: 2015-11-24 18:51:34
Message-ID: 1565543.7Ns8yjUNd2 () sifl
[Download RAW message or body]
On Monday, November 23, 2015 04:07:41 PM Stephen Smalley wrote:
> commit fa1aa143ac4a ("selinux: extended permissions for ioctls") introduced
> a bug into the handling of conditional rules, skipping the processing
> entirely when the caller does not provide an extended permissions (xperms)
> structure. Access checks from userspace using /sys/fs/selinux/access
> do not include such a structure since that interface does not presently
> expose extended permission information. As a result, conditional rules
> were being ignored entirely on userspace access requests, producing
> denials when access was allowed by conditional rules in the policy.
> Fix the bug by only skipping computation of extended permissions
> in this situation, not the entire conditional rules processing.
>
> Reported-by: Laurent Bigonville <bigon@debian.org>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> security/selinux/ss/conditional.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
Merged into the SELinux stable branch, I'll push it to James tomorrow.
> diff --git a/security/selinux/ss/conditional.c
> b/security/selinux/ss/conditional.c index 18643bf..456e1a9 100644
> --- a/security/selinux/ss/conditional.c
> +++ b/security/selinux/ss/conditional.c
> @@ -638,7 +638,7 @@ void cond_compute_av(struct avtab *ctab, struct
> avtab_key *key, {
> struct avtab_node *node;
>
> - if (!ctab || !key || !avd || !xperms)
> + if (!ctab || !key || !avd)
> return;
>
> for (node = avtab_search_node(ctab, key); node;
> @@ -657,7 +657,7 @@ void cond_compute_av(struct avtab *ctab, struct
> avtab_key *key, if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
> (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
> avd->auditallow |= node->datum.u.data;
> - if ((node->key.specified & AVTAB_ENABLED) &&
> + if (xperms && (node->key.specified & AVTAB_ENABLED) &&
> (node->key.specified & AVTAB_XPERMS))
> services_compute_xperms_drivers(xperms, node);
> }
--
paul moore
www.paul-moore.com
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic