summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorAmerigo Wang <amwang@redhat.com>2009-08-20 19:29:02 -0700
committerJames Morris <jmorris@namei.org>2009-08-21 14:25:30 +1000
commitbc6a6008e5e3c7a30191a7f19ab19e85b14b1705 (patch)
tree46504659c2303224cb3c8ad13e1d1b580351b41b /security
parentece13879e74313e62109e0755dd3d4f172df89e2 (diff)
downloadlwn-bc6a6008e5e3c7a30191a7f19ab19e85b14b1705.tar.gz
lwn-bc6a6008e5e3c7a30191a7f19ab19e85b14b1705.zip
selinux: adjust rules for ATTR_FORCE
As suggested by OGAWA Hirofumi in thread: http://lkml.org/lkml/2009/8/7/132, we should let selinux_inode_setattr() to match our ATTR_* rules. ATTR_FORCE should not force things like ATTR_SIZE. [hirofumi@mail.parknet.co.jp: tweaks] Signed-off-by: WANG Cong <amwang@redhat.com> Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> Cc: Eugene Teo <eteo@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christoph Hellwig <hch@lst.de> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c16
1 files changed, 11 insertions, 5 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6d0b1ccb5b99..ac79f9ef2da8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2711,12 +2711,18 @@ static int selinux_inode_permission(struct inode *inode, int mask)
static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
{
const struct cred *cred = current_cred();
+ unsigned int ia_valid = iattr->ia_valid;
+
+ /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
+ if (ia_valid & ATTR_FORCE) {
+ ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
+ ATTR_FORCE);
+ if (!ia_valid)
+ return 0;
+ }
- if (iattr->ia_valid & ATTR_FORCE)
- return 0;
-
- if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
- ATTR_ATIME_SET | ATTR_MTIME_SET))
+ if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
+ ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);