summaryrefslogtreecommitdiff
path: root/security/selinux
diff options
context:
space:
mode:
authorOndrej Mosnacek <omosnace@redhat.com>2019-06-12 10:12:26 +0200
committerPaul Moore <paul@paul-moore.com>2019-06-12 16:04:05 -0400
commit464c258aa45b09f16aa0f05847ed8895873262d9 (patch)
treec00d9804a2c75ee26316361269ddeaa85be9229a /security/selinux
parentbeee56f3543ae688f7b3f65a5e234b59856eff48 (diff)
downloadlwn-464c258aa45b09f16aa0f05847ed8895873262d9.tar.gz
lwn-464c258aa45b09f16aa0f05847ed8895873262d9.zip
selinux: fix empty write to keycreate file
When sid == 0 (we are resetting keycreate_sid to the default value), we should skip the KEY__CREATE check. Before this patch, doing a zero-sized write to /proc/self/keycreate would check if the current task can create unlabeled keys (which would usually fail with -EACCESS and generate an AVC). Now it skips the check and correctly sets the task's keycreate_sid to 0. Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1719067 Tested using the reproducer from the report above. Fixes: 4eb582cf1fbd ("[PATCH] keys: add a way to store the appropriate context for newly-created keys") Reported-by: Kir Kolyshkin <kir@sacred.ru> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c11
1 files changed, 6 insertions, 5 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c61787b15f27..f77b314d0575 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6331,11 +6331,12 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
} else if (!strcmp(name, "fscreate")) {
tsec->create_sid = sid;
} else if (!strcmp(name, "keycreate")) {
- error = avc_has_perm(&selinux_state,
- mysid, sid, SECCLASS_KEY, KEY__CREATE,
- NULL);
- if (error)
- goto abort_change;
+ if (sid) {
+ error = avc_has_perm(&selinux_state, mysid, sid,
+ SECCLASS_KEY, KEY__CREATE, NULL);
+ if (error)
+ goto abort_change;
+ }
tsec->keycreate_sid = sid;
} else if (!strcmp(name, "sockcreate")) {
tsec->sockcreate_sid = sid;