From: Eric Paris <eparis@redhat.com>
To: James Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@parisplace.org>,
selinux <selinux@tycho.nsa.gov>,
linux-security-module@vger.kernel.org, casey@schaufler-ca.com
Subject: Re: [patch] selinux: handle files opened with flags 3 by checking ioctl permission
Date: Mon, 17 Mar 2008 18:19:27 -0400 [thread overview]
Message-ID: <1205792367.2891.1.camel@localhost.localdomain> (raw)
In-Reply-To: <Xine.LNX.4.64.0803180915000.25060@us.intercode.com.au>
On Tue, 2008-03-18 at 09:15 +1100, James Morris wrote:
> On Mon, 17 Mar 2008, Eric Paris wrote:
>
> >
> > On Mon, 2008-03-17 at 08:55 -0400, Stephen Smalley wrote:
> > > On Mon, 2008-03-17 at 08:41 +1100, James Morris wrote:
> > > > On Fri, 14 Mar 2008, Stephen Smalley wrote:
> > > >
> > > > > Alternatively, we could default to returning FILE__IOCTL from
> > > > > file_to_av() if the f_mode has neither FMODE_READ nor FMODE_WRITE, and
> > > > > thus check ioctl permission on exec or transfer, thereby validating such
> > > > > descriptors early as with normal r/w descriptors and catching leaks of
> > > > > them prior to attempted usage.
> > > >
> > > > I think this sounds like a good plan.
> > >
> > > Handle files opened with flags 3 by checking ioctl permission.
> > >
> > > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> >
> > Acked-by: Eric Paris <eparis@redhat.com>
>
> Fixes the problem I was seeing. Applied to for-akpm.
Are you at least now seeing a FILE__IOCTL avc for mdadm? If not why
would mdadm have that permission for /dev/null?
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-03-17 22:19 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-12 19:13 How to handle security_dentry_open when the open flags are 'special' Eric Paris
2008-03-12 19:20 ` Eric Paris
2008-03-13 11:56 ` Stephen Smalley
2008-03-14 14:16 ` Stephen Smalley
2008-03-16 21:41 ` James Morris
2008-03-17 12:55 ` [patch] selinux: handle files opened with flags 3 by checking ioctl permission Stephen Smalley
2008-03-17 14:01 ` Eric Paris
2008-03-17 14:19 ` Stephen Smalley
2008-03-17 14:30 ` Eric Paris
2008-03-17 22:15 ` James Morris
2008-03-17 22:19 ` Eric Paris [this message]
2008-03-17 23:02 ` James Morris
2008-03-18 12:54 ` Stephen Smalley
2008-03-18 12:52 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1205792367.2891.1.camel@localhost.localdomain \
--to=eparis@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.