[PATCH] SELinux: fix selinux_inode_setattr hook

This fixes the selinux_inode_setattr hook function to honor the ATTR_FORCE flag, skipping any permission checking in that case. Otherwise, it is possible though unlikely for a denial from the hook to prevent proper updating, e.g. for remove_suid upon writing to a file. This would only occur if the process had write permission to a suid file but lacked setattr permission to it. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] SELinux: fix selinux_inode_setattr hook
This fixes the selinux_inode_setattr hook function to honor the ATTR_FORCE flag, skipping any permission checking in that case. Otherwise, it is possible though unlikely for a denial from the hook to prevent proper updating, e.g. for remove_suid upon writing to a file. This would only occur if the process had write permission to a suid file but lacked setattr permission to it. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
19944d17 · Stephen D. Smalley · Linus Torvalds · 37b63d17 · 19944d17
Commit 19944d17 authored Feb 04, 2005 by Stephen D. Smalley Committed by Linus Torvalds Feb 04, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

security/selinux/hooks.c security/selinux/hooks.c +3 -0

No files found.
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2140,6 +2140,9 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
 	if (rc)
 		return rc;

+	if (iattr->ia_valid & ATTR_FORCE)
+		return 0;
+
 	if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
 			       ATTR_ATIME_SET | ATTR_MTIME_SET))
 		return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);