aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2008-05-21 14:16:12 -0400
committerJames Morris <jmorris@namei.org>2008-07-14 01:01:52 -0400
commitabc69bb633931bf54c6db798bcdc6fd1e0284742 (patch)
tree711aaf6c5e1d8bdd57138e8baf3a369ed832602d
parent006ebb40d3d65338bd74abb03b945f8d60e362bd (diff)
SELinux: enable processes with mac_admin to get the raw inode contexts
Enable processes with CAP_MAC_ADMIN + mac_admin permission in policy to get undefined contexts on inodes. This extends the support for deferred mapping of security contexts in order to permit restorecon and similar programs to see the raw file contexts unknown to the system policy in order to check them. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/selinux/hooks.c27
1 files changed, 23 insertions, 4 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4be156334b22..91b666aec452 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2754,9 +2754,7 @@ static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2754} 2754}
2755 2755
2756/* 2756/*
2757 * Copy the in-core inode security context value to the user. If the 2757 * Copy the inode security context value to the user.
2758 * getxattr() prior to this succeeded, check to see if we need to
2759 * canonicalize the value to be finally returned to the user.
2760 * 2758 *
2761 * Permission check is handled by selinux_inode_getxattr hook. 2759 * Permission check is handled by selinux_inode_getxattr hook.
2762 */ 2760 */
@@ -2765,12 +2763,33 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
2765 u32 size; 2763 u32 size;
2766 int error; 2764 int error;
2767 char *context = NULL; 2765 char *context = NULL;
2766 struct task_security_struct *tsec = current->security;
2768 struct inode_security_struct *isec = inode->i_security; 2767 struct inode_security_struct *isec = inode->i_security;
2769 2768
2770 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2769 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2771 return -EOPNOTSUPP; 2770 return -EOPNOTSUPP;
2772 2771
2773 error = security_sid_to_context(isec->sid, &context, &size); 2772 /*
2773 * If the caller has CAP_MAC_ADMIN, then get the raw context
2774 * value even if it is not defined by current policy; otherwise,
2775 * use the in-core value under current policy.
2776 * Use the non-auditing forms of the permission checks since
2777 * getxattr may be called by unprivileged processes commonly
2778 * and lack of permission just means that we fall back to the
2779 * in-core context value, not a denial.
2780 */
2781 error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2782 if (!error)
2783 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2784 SECCLASS_CAPABILITY2,
2785 CAPABILITY2__MAC_ADMIN,
2786 0,
2787 NULL);
2788 if (!error)
2789 error = security_sid_to_context_force(isec->sid, &context,
2790 &size);
2791 else
2792 error = security_sid_to_context(isec->sid, &context, &size);
2774 if (error) 2793 if (error)
2775 return error; 2794 return error;
2776 error = size; 2795 error = size;