diff options
| author | Eric Paris <eparis@redhat.com> | 2009-03-05 13:40:35 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2009-03-05 16:50:18 -0500 |
| commit | 6a25b27d602aac24f3c642722377ba5d778417ec (patch) | |
| tree | ba334617326c65ccd98e7f4733c75fa0ac2ae5ca /security/selinux/hooks.c | |
| parent | 113a0e4590881ce579ca992a80ddc562b3372ede (diff) | |
SELinux: open perm for sock files
When I did open permissions I didn't think any sockets would have an open.
Turns out AF_UNIX sockets can have an open when they are bound to the
filesystem namespace. This patch adds a new SOCK_FILE__OPEN permission.
It's safe to add this as the open perms are already predicated on
capabilities and capabilities means we have unknown perm handling so
systems should be as backwards compatible as the policy wants them to
be.
https://bugzilla.redhat.com/show_bug.cgi?id=475224
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 309648c573d8..cd3307a26d11 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1838,6 +1838,8 @@ static inline u32 open_file_to_av(struct file *file) | |||
| 1838 | av |= FIFO_FILE__OPEN; | 1838 | av |= FIFO_FILE__OPEN; |
| 1839 | else if (S_ISDIR(mode)) | 1839 | else if (S_ISDIR(mode)) |
| 1840 | av |= DIR__OPEN; | 1840 | av |= DIR__OPEN; |
| 1841 | else if (S_ISSOCK(mode)) | ||
| 1842 | av |= SOCK_FILE__OPEN; | ||
| 1841 | else | 1843 | else |
| 1842 | printk(KERN_ERR "SELinux: WARNING: inside %s with " | 1844 | printk(KERN_ERR "SELinux: WARNING: inside %s with " |
| 1843 | "unknown mode:%o\n", __func__, mode); | 1845 | "unknown mode:%o\n", __func__, mode); |