aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2008-11-11 06:02:57 -0500
committerJames Morris <jmorris@namei.org>2008-11-11 06:02:57 -0500
commit066746796bd2f0a1ba210c0dded3b6ee4032692a (patch)
tree868832ca0e199e4f173e23375cffb5fc3870402c /security
parenta2f2945a99057c7d44043465906c6bb63c3368a0 (diff)
Currently SELinux jumps through some ugly hoops to not audit a capbility
check when determining if a process has additional powers to override memory limits or when trying to read/write illegal file labels. Use the new noaudit call instead. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c19
1 files changed, 2 insertions, 17 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 88a3ee33068..378dc53c08e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1979,16 +1979,8 @@ static int selinux_syslog(int type)
1979static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 1979static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1980{ 1980{
1981 int rc, cap_sys_admin = 0; 1981 int rc, cap_sys_admin = 0;
1982 struct task_security_struct *tsec = current->security;
1983
1984 rc = secondary_ops->capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
1985 if (rc == 0)
1986 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1987 SECCLASS_CAPABILITY,
1988 CAP_TO_MASK(CAP_SYS_ADMIN),
1989 0,
1990 NULL);
1991 1982
1983 rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
1992 if (rc == 0) 1984 if (rc == 0)
1993 cap_sys_admin = 1; 1985 cap_sys_admin = 1;
1994 1986
@@ -2820,7 +2812,6 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
2820 u32 size; 2812 u32 size;
2821 int error; 2813 int error;
2822 char *context = NULL; 2814 char *context = NULL;
2823 struct task_security_struct *tsec = current->security;
2824 struct inode_security_struct *isec = inode->i_security; 2815 struct inode_security_struct *isec = inode->i_security;
2825 2816
2826 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2817 if (strcmp(name, XATTR_SELINUX_SUFFIX))
@@ -2835,13 +2826,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
2835 * and lack of permission just means that we fall back to the 2826 * and lack of permission just means that we fall back to the
2836 * in-core context value, not a denial. 2827 * in-core context value, not a denial.
2837 */ 2828 */
2838 error = secondary_ops->capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); 2829 error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2839 if (!error)
2840 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2841 SECCLASS_CAPABILITY2,
2842 CAPABILITY2__MAC_ADMIN,
2843 0,
2844 NULL);
2845 if (!error) 2830 if (!error)
2846 error = security_sid_to_context_force(isec->sid, &context, 2831 error = security_sid_to_context_force(isec->sid, &context,
2847 &size); 2832 &size);