diff options
| author | Eric Paris <[email protected]> | 2012-07-06 18:13:30 +0000 |
|---|---|---|
| committer | James Morris <[email protected]> | 2012-07-16 01:41:47 +0000 |
| commit | 3d2195c3324b27e65ba53d9626a6bd91a2515797 (patch) | |
| tree | c17445689c2926fa446c9bef4f5b169b60ce4f15 /security/selinux/hooks.c | |
| parent | SELinux: include definition of new capabilities (diff) | |
| download | kernel-3d2195c3324b27e65ba53d9626a6bd91a2515797.tar.gz kernel-3d2195c3324b27e65ba53d9626a6bd91a2515797.zip | |
SELinux: do not check open perms if they are not known to policy
When I introduced open perms policy didn't understand them and I
implemented them as a policycap. When I added the checking of open perm
to truncate I forgot to conditionalize it on the userspace defined
policy capability. Running an old policy with a new kernel will not
check open on open(2) but will check it on truncate. Conditionalize the
truncate check the same as the open check.
Signed-off-by: Eric Paris <[email protected]>
Cc: [email protected] # 3.4.x
Signed-off-by: James Morris <[email protected]>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 372ec6502aa8..ffd8900a38e8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2717,7 +2717,7 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) return dentry_has_perm(cred, dentry, FILE__SETATTR); - if (ia_valid & ATTR_SIZE) + if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)) av |= FILE__OPEN; return dentry_has_perm(cred, dentry, av); |