Commit 3d2195c3 authored Jul 06, 2012 by Eric Paris Committed by James Morris Jul 16, 2012

SELinux: do not check open perms if they are not known to policy



When I introduced open perms policy didn't understand them and I
implemented them as a policycap.  When I added the checking of open perm
to truncate I forgot to conditionalize it on the userspace defined
policy capability.  Running an old policy with a new kernel will not
check open on open(2) but will check it on truncate.  Conditionalize the
truncate check the same as the open check.

Signed-off-by: Eric Paris <eparis@redhat.com>
Cc: stable@vger.kernel.org # 3.4.x
Signed-off-by: James Morris <james.l.morris@oracle.com>

parent 64919e60

security/selinux/hooks.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2717,7 +2717,7 @@ static int selinux_inode_setattr(struct dentry dentry, struct iattr iattr)
		ATTR_ATIME_SET \| ATTR_MTIME_SET \| ATTR_TIMES_SET))
		return dentry_has_perm(cred, dentry, FILE__SETATTR);

		if (ia_valid & ATTR_SIZE)
		if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
		av \|= FILE__OPEN;

		return dentry_has_perm(cred, dentry, av);