summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeff Vander Stoep <jeffv@google.com>2015-10-21 17:44:25 -0400
committerPaul Moore <pmoore@redhat.com>2015-10-21 17:44:25 -0400
commit44d37ad3602b3823764eeb0f6c1ee3ef6c4fb936 (patch)
treeda06d34a35dc0364f8bec0276abcf796ffeeb81c
parent2a35d196c160e352fa56eabb7952f78f4c85f577 (diff)
downloadlwn-44d37ad3602b3823764eeb0f6c1ee3ef6c4fb936.tar.gz
lwn-44d37ad3602b3823764eeb0f6c1ee3ef6c4fb936.zip
selinux: do not check open perm on ftruncate call
Use the ATTR_FILE attribute to distinguish between truncate() and ftruncate() system calls. The two other cases where do_truncate is called with a filp (and therefore ATTR_FILE is set) are for coredump files and for open(O_TRUNC). In both of those cases the open permission has already been checked during file open and therefore does not need to be repeated. Commit 95dbf739313f ("SELinux: check OPEN on truncate calls") fixed a major issue where domains were allowed to truncate files without the open permission. However, it introduced a new bug where a domain with the write permission can no longer ftruncate files without the open permission, even when they receive an already open file. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
-rw-r--r--security/selinux/hooks.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e4369d86e588..7cd71cea0503 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2946,7 +2946,8 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
return dentry_has_perm(cred, dentry, FILE__SETATTR);
- if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
+ if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
+ && !(ia_valid & ATTR_FILE))
av |= FILE__OPEN;
return dentry_has_perm(cred, dentry, av);