Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 06674679 authored by Eric Paris's avatar Eric Paris Committed by James Morris
Browse files

Currently SELinux jumps through some ugly hoops to not audit a capbility 


check when determining if a process has additional powers to override
memory limits or when trying to read/write illegal file labels.  Use
the new noaudit call instead.

Signed-off-by: default avatarEric Paris <eparis@redhat.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent a2f2945a

security/selinux/hooks.c

+2 −17
Original line number Diff line number Diff line
@@ -1979,16 +1979,8 @@ static int selinux_syslog(int type) 
static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)

{

	int rc, cap_sys_admin = 0;

	struct task_security_struct *tsec = current->security;



	rc = secondary_ops->capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);

	if (rc == 0)

		rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,

					  SECCLASS_CAPABILITY,

					  CAP_TO_MASK(CAP_SYS_ADMIN),

					  0,

					  NULL);



	rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);

	if (rc == 0)

		cap_sys_admin = 1;
@@ -2820,7 +2812,6 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name 
	u32 size;

	int error;

	char *context = NULL;

	struct task_security_struct *tsec = current->security;

	struct inode_security_struct *isec = inode->i_security;



	if (strcmp(name, XATTR_SELINUX_SUFFIX))
@@ -2835,13 +2826,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name 
	 * and lack of permission just means that we fall back to the

	 * in-core context value, not a denial.

	 */

	error = secondary_ops->capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);

	if (!error)

		error = avc_has_perm_noaudit(tsec->sid, tsec->sid,

					     SECCLASS_CAPABILITY2,

					     CAPABILITY2__MAC_ADMIN,

					     0,

					     NULL);

	error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);

	if (!error)

		error = security_sid_to_context_force(isec->sid, &context,

						      &size);