aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2008-03-11 14:19:34 -0400
committerJames Morris <jmorris@namei.org>2008-04-18 06:26:09 -0400
commiteda4f69ca5a532b425db5a6c2c6bc50717b9b5fe (patch)
tree09b74e5637218c64588e523d6d264fae0b9cb771 /security
parentf0115e6c8980ea9125a17858291c90ecd990bc1c (diff)
SELinux: requesting no permissions in avc_has_perm_noaudit is a BUG()
This patch turns the case where we have a call into avc_has_perm with no requested permissions into a BUG_ON. All callers to this should be in the kernel and thus should be a function we need to fix if we ever hit this. The /selinux/access permission checking it done directly in the security server and not through the avc, so those requests which we cannot control from userspace should not be able to trigger this BUG_ON. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/avc.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 187964e88af1..cb3f0ce0b00a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -871,6 +871,8 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
871 int rc = 0; 871 int rc = 0;
872 u32 denied; 872 u32 denied;
873 873
874 BUG_ON(!requested);
875
874 rcu_read_lock(); 876 rcu_read_lock();
875 877
876 node = avc_lookup(ssid, tsid, tclass, requested); 878 node = avc_lookup(ssid, tsid, tclass, requested);
@@ -890,7 +892,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
890 892
891 denied = requested & ~(p_ae->avd.allowed); 893 denied = requested & ~(p_ae->avd.allowed);
892 894
893 if (!requested || denied) { 895 if (denied) {
894 if (selinux_enforcing || (flags & AVC_STRICT)) 896 if (selinux_enforcing || (flags & AVC_STRICT))
895 rc = -EACCES; 897 rc = -EACCES;
896 else 898 else