From: Paul Moore <paul@paul-moore.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov, bigon@debian.org, jeffv@google.com
Subject: Re: [PATCH] selinux: fix bug in conditional rules handling
Date: Tue, 24 Nov 2015 13:51:34 -0500 [thread overview]
Message-ID: <1565543.7Ns8yjUNd2@sifl> (raw)
In-Reply-To: <1448312861-3574-1-git-send-email-sds@tycho.nsa.gov>
On Monday, November 23, 2015 04:07:41 PM Stephen Smalley wrote:
> commit fa1aa143ac4a ("selinux: extended permissions for ioctls") introduced
> a bug into the handling of conditional rules, skipping the processing
> entirely when the caller does not provide an extended permissions (xperms)
> structure. Access checks from userspace using /sys/fs/selinux/access
> do not include such a structure since that interface does not presently
> expose extended permission information. As a result, conditional rules
> were being ignored entirely on userspace access requests, producing
> denials when access was allowed by conditional rules in the policy.
> Fix the bug by only skipping computation of extended permissions
> in this situation, not the entire conditional rules processing.
>
> Reported-by: Laurent Bigonville <bigon@debian.org>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> security/selinux/ss/conditional.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
Merged into the SELinux stable branch, I'll push it to James tomorrow.
> diff --git a/security/selinux/ss/conditional.c
> b/security/selinux/ss/conditional.c index 18643bf..456e1a9 100644
> --- a/security/selinux/ss/conditional.c
> +++ b/security/selinux/ss/conditional.c
> @@ -638,7 +638,7 @@ void cond_compute_av(struct avtab *ctab, struct
> avtab_key *key, {
> struct avtab_node *node;
>
> - if (!ctab || !key || !avd || !xperms)
> + if (!ctab || !key || !avd)
> return;
>
> for (node = avtab_search_node(ctab, key); node;
> @@ -657,7 +657,7 @@ void cond_compute_av(struct avtab *ctab, struct
> avtab_key *key, if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
> (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
> avd->auditallow |= node->datum.u.data;
> - if ((node->key.specified & AVTAB_ENABLED) &&
> + if (xperms && (node->key.specified & AVTAB_ENABLED) &&
> (node->key.specified & AVTAB_XPERMS))
> services_compute_xperms_drivers(xperms, node);
> }
--
paul moore
www.paul-moore.com
prev parent reply other threads:[~2015-11-25 19:07 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-23 21:07 [PATCH] selinux: fix bug in conditional rules handling Stephen Smalley
2015-11-23 21:23 ` Paul Moore
2015-11-23 21:30 ` Stephen Smalley
2015-11-24 18:51 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1565543.7Ns8yjUNd2@sifl \
--to=paul@paul-moore.com \
--cc=bigon@debian.org \
--cc=jeffv@google.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.