UPSTREAM: selinux: fix bug in conditional rules handling

commit fa1aa143 ("selinux: extended permissions for ioctls") introduced a bug into the handling of conditional rules, skipping the processing entirely when the caller does not provide an extended permissions (xperms) structure. Access checks from userspace using /sys/fs/selinux/access do not include such a structure since that interface does not presently expose extended permission information. As a result, conditional rules were being ignored entirely on userspace access requests, producing denials when access was allowed by conditional rules in the policy. Fix the bug by only skipping computation of extended permissions in this situation, not the entire conditional rules processing. BUG=none TEST=smaug boots Reported-by: Laurent Bigonville <bigon@debian.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: fixed long lines in patch description] Cc: stable@vger.kernel.org # 4.3 Signed-off-by: Paul Moore <pmoore@redhat.com> (cherry picked from commit f3bef679) Signed-off-by: David Riley <davidriley@chromium.org> Change-Id: Iae290beaa10bbaa3f14d2fd186021ef9babd1ea8 Reviewed-on: https://chromium-review.googlesource.com/322730 Commit-Ready: David Riley <davidriley@chromium.org> Tested-by: David Riley <davidriley@chromium.org> Reviewed-by: Mark Salyzyn <salyzyn@google.com> Reviewed-by: Andrew Bresticker <abrestic@chromium.org>

UPSTREAM: selinux: fix bug in conditional rules handling
commit fa1aa143 ("selinux: extended permissions for ioctls") introduced a bug into the handling of conditional rules, skipping the processing entirely when the caller does not provide an extended permissions (xperms) structure. Access checks from userspace using /sys/fs/selinux/access do not include such a structure since that interface does not presently expose extended permission information. As a result, conditional rules were being ignored entirely on userspace access requests, producing denials when access was allowed by conditional rules in the policy. Fix the bug by only skipping computation of extended permissions in this situation, not the entire conditional rules processing. BUG=none TEST=smaug boots Reported-by: Laurent Bigonville <bigon@debian.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: fixed long lines in patch description] Cc: stable@vger.kernel.org # 4.3 Signed-off-by: Paul Moore <pmoore@redhat.com> (cherry picked from commit f3bef679) Signed-off-by: David Riley <davidriley@chromium.org> Change-Id: Iae290beaa10bbaa3f14d2fd186021ef9babd1ea8 Reviewed-on: https://chromium-review.googlesource.com/322730 Commit-Ready: David Riley <davidriley@chromium.org> Tested-by: David Riley <davidriley@chromium.org> Reviewed-by: Mark Salyzyn <salyzyn@google.com> Reviewed-by: Andrew Bresticker <abrestic@chromium.org>
7f68a1f7 · Stephen Smalley · Filipe Brandenburger · 8004507d · 7f68a1f7
Commit 7f68a1f7 authored 9 years ago by Stephen Smalley Committed by Filipe Brandenburger 9 years ago
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -638,7 +638,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
 {
 	struct avtab_node *node;

-	if (!ctab || !key || !avd || !xperms)
+	if (!ctab || !key || !avd)
 		return;

 	for (node = avtab_search_node(ctab, key); node;
@@ -657,7 +657,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
 		if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
 		    (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
 			avd->auditallow |= node->datum.u.data;
-		if ((node->key.specified & AVTAB_ENABLED) &&
+		if (xperms && (node->key.specified & AVTAB_ENABLED) &&
 				(node->key.specified & AVTAB_XPERMS))
 			services_compute_xperms_drivers(xperms, node);
 	}