selinux: fix bug in conditional rules handling

commit fa1aa143ac4a ("selinux: extended permissions for ioctls") introduced a bug into the handling of conditional rules, skipping the processing entirely when the caller does not provide an extended permissions (xperms) structure. Access checks from userspace using /sys/fs/selinux/access do not include such a structure since that interface does not presently expose extended permission information. As a result, conditional rules were being ignored entirely on userspace access requests, producing denials when access was allowed by conditional rules in the policy. Fix the bug by only skipping computation of extended permissions in this situation, not the entire conditional rules processing. Reported-by: Laurent Bigonville <bigon@debian.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: fixed long lines in patch description] Cc: stable@vger.kernel.org # 4.3 Signed-off-by: Paul Moore <pmoore@redhat.com>
author: Stephen Smalley <sds@tycho.nsa.gov> 2015-11-23 16:07:41 -0500
committer: Paul Moore <pmoore@redhat.com> 2015-11-24 13:44:32 -0500
commit: f3bef67992e8698897b584616535803887c4a73e (patch)
tree: 325ba1c1ffd8bc09eddbedbecddbe50073715ee7 /security/selinux/ss/conditional.c
parent: 63205654c0e05e5ffa1c6eef2fbef21dcabd2185 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 18643bf9894d..456e1a9bcfde 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -638,7 +638,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
 {
        struct avtab_node *node;
-        if (!ctab || !key || !avd || !xperms)
+        if (!ctab || !key || !avd)
                return;
        for (node = avtab_search_node(ctab, key); node;
@@ -657,7 +657,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
                if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
                    (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
                        avd->auditallow |= node->datum.u.data;
-                if ((node->key.specified & AVTAB_ENABLED) &&
+                if (xperms && (node->key.specified & AVTAB_ENABLED) &&
                                (node->key.specified & AVTAB_XPERMS))
                        services_compute_xperms_drivers(xperms, node);
        }
author	Stephen Smalley <sds@tycho.nsa.gov>	2015-11-23 16:07:41 -0500
committer	Paul Moore <pmoore@redhat.com>	2015-11-24 13:44:32 -0500
commit	f3bef67992e8698897b584616535803887c4a73e (patch)
tree	325ba1c1ffd8bc09eddbedbecddbe50073715ee7 /security/selinux/ss/conditional.c
parent	63205654c0e05e5ffa1c6eef2fbef21dcabd2185 (diff)

diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index 18643bf9894d..456e1a9bcfde 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c
@@ -638,7 +638,7 @@ void cond_compute_av(struct avtab ctab, struct avtab_key key,
638	{	638	{
639	struct avtab_node *node;	639	struct avtab_node *node;
640		640
641	if (!ctab \|\| !key \|\| !avd \|\| !xperms)	641	if (!ctab \|\| !key \|\| !avd)
642	return;	642	return;
643		643
644	for (node = avtab_search_node(ctab, key); node;	644	for (node = avtab_search_node(ctab, key); node;
@@ -657,7 +657,7 @@ void cond_compute_av(struct avtab ctab, struct avtab_key key,
657	if ((u16)(AVTAB_AUDITALLOW\|AVTAB_ENABLED) ==	657	if ((u16)(AVTAB_AUDITALLOW\|AVTAB_ENABLED) ==
658	(node->key.specified & (AVTAB_AUDITALLOW\|AVTAB_ENABLED)))	658	(node->key.specified & (AVTAB_AUDITALLOW\|AVTAB_ENABLED)))
659	avd->auditallow \|= node->datum.u.data;	659	avd->auditallow \|= node->datum.u.data;
660	if ((node->key.specified & AVTAB_ENABLED) &&	660	if (xperms && (node->key.specified & AVTAB_ENABLED) &&
661	(node->key.specified & AVTAB_XPERMS))	661	(node->key.specified & AVTAB_XPERMS))
662	services_compute_xperms_drivers(xperms, node);	662	services_compute_xperms_drivers(xperms, node);
663	}	663	}