• Stephen Smalley's avatar
    selinux: fix bug in conditional rules handling · f3bef679
    Stephen Smalley authored
    commit fa1aa143 ("selinux: extended permissions for ioctls")
    introduced a bug into the handling of conditional rules, skipping the
    processing entirely when the caller does not provide an extended
    permissions (xperms) structure.  Access checks from userspace using
    /sys/fs/selinux/access do not include such a structure since that
    interface does not presently expose extended permission information.
    As a result, conditional rules were being ignored entirely on userspace
    access requests, producing denials when access was allowed by
    conditional rules in the policy.  Fix the bug by only skipping
    computation of extended permissions in this situation, not the entire
    conditional rules processing.
    Reported-by: default avatarLaurent Bigonville <bigon@debian.org>
    Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    [PM: fixed long lines in patch description]
    Cc: stable@vger.kernel.org # 4.3
    Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    f3bef679
conditional.c 14.4 KB