selinux: do not check open permission on sockets - linux/linux-stable.git

diff options

author	Stephen Smalley <sds@tycho.nsa.gov>	2017-05-12 12:41:24 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-04-13 19:50:10 +0200
commit	60c26da547da81cfe9ea1e7d65d514cc89deb82e (patch)
tree	767ed0713b05f75b7eda2caefccba357e2fee972 /block
parent	4f58c2e97cf347121220f9c0a12eb910196e50eb (diff)

selinux: do not check open permission on sockets

[ Upstream commit ccb544781d34afdb73a9a73ae53035d824d193bf ] open permission is currently only defined for files in the kernel (COMMON_FILE_PERMS rather than COMMON_FILE_SOCK_PERMS). Construction of an artificial test case that tries to open a socket via /proc/pid/fd will generate a recvfrom avc denial because recvfrom and open happen to map to the same permission bit in socket vs file classes. open of a socket via /proc/pid/fd is not supported by the kernel regardless and will ultimately return ENXIO. But we hit the permission check first and can thus produce these odd/misleading denials. Omit the open check when operating on a socket. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'block')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: