Commit ea6b184f authored Sep 22, 2008 by Stephen Smalley Committed by James Morris Sep 30, 2008

selinux: use default proc sid on symlinks

As we are not concerned with fine-grained control over reading of
symlinks in proc, always use the default proc SID for all proc symlinks.
This should help avoid permission issues upon changes to the proc tree
as in the /proc/net -> /proc/self/net example.
This does not alter labeling of symlinks within /proc/pid directories.
ls -Zd /proc/net output before and after the patch should show the difference.

Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

parent de45e806

security/selinux/hooks.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1291,7 +1291,7 @@ static int inode_doinit_with_dentry(struct inode inode, struct dentry opt_dent
		/* Default to the fs superblock SID. */
		isec->sid = sbsec->sid;

		if (sbsec->proc) {
		if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
		struct proc_inode *proci = PROC_I(inode);
		if (proci->pde) {
		isec->sclass = inode_mode_to_security_class(inode->i_mode);