UPSTREAM: selinux: fix bug in conditional rules handling (fcd540ce) · Commits · CodeLinaro / la / kernel / msm

Commit fcd540ce authored 9 years ago by Stephen Smalley Committed by Prashant Malani 9 years ago

UPSTREAM: selinux: fix bug in conditional rules handling


(cherry picked from commit commit f3bef679)

commit fa1aa143 ("selinux: extended permissions for ioctls")
introduced a bug into the handling of conditional rules, skipping the
processing entirely when the caller does not provide an extended
permissions (xperms) structure.  Access checks from userspace using
/sys/fs/selinux/access do not include such a structure since that
interface does not presently expose extended permission information.
As a result, conditional rules were being ignored entirely on userspace
access requests, producing denials when access was allowed by
conditional rules in the policy.  Fix the bug by only skipping
computation of extended permissions in this situation, not the entire
conditional rules processing.

Change-Id: Ifff5719c80da03545eaea3cbf94e65a0a0e0d7d3
Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: fixed long lines in patch description]
Cc: stable@vger.kernel.org # 4.3
Signed-off-by: Paul Moore <pmoore@redhat.com>

parent ce32f2e3

No related branches found

No related tags found

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 2 additions and 2 deletions

Please register or to comment