summaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2012-04-04 13:45:34 -0400
committerEric Paris <eparis@redhat.com>2012-04-09 12:22:49 -0400
commit95dbf739313f09c8d859bde1373bc264ef979337 (patch)
treec798947b740826f1fc6403d8ed840565a086e7ea /security/selinux
parenteed7795d0a2c9b2e934afc088e903fa2c17b7958 (diff)
downloadlinux-95dbf739313f09c8d859bde1373bc264ef979337.tar.gz
linux-95dbf739313f09c8d859bde1373bc264ef979337.tar.bz2
linux-95dbf739313f09c8d859bde1373bc264ef979337.zip
SELinux: check OPEN on truncate calls
In RH BZ 578841 we realized that the SELinux sandbox program was allowed to truncate files outside of the sandbox. The reason is because sandbox confinement is determined almost entirely by the 'open' permission. The idea was that if the sandbox was unable to open() files it would be unable to do harm to those files. This turns out to be false in light of syscalls like truncate() and chmod() which don't require a previous open() call. I looked at the syscalls that did not have an associated 'open' check and found that truncate(), did not have a seperate permission and even if it did have a separate permission such a permission owuld be inadequate for use by sandbox (since it owuld have to be granted so liberally as to be useless). This patch checks the OPEN permission on truncate. I think a better solution for sandbox is a whole new permission, but at least this fixes what we have today. Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d85b793c9321..f7d7e779c7f3 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2708,6 +2708,7 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
{
const struct cred *cred = current_cred();
unsigned int ia_valid = iattr->ia_valid;
+ __u32 av = FILE__WRITE;
/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
if (ia_valid & ATTR_FORCE) {
@@ -2721,7 +2722,10 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
return dentry_has_perm(cred, dentry, FILE__SETATTR);
- return dentry_has_perm(cred, dentry, FILE__WRITE);
+ if (ia_valid & ATTR_SIZE)
+ av |= FILE__OPEN;
+
+ return dentry_has_perm(cred, dentry, av);
}
static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)