1 files changed, 8 insertions, 40 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 91b666aec452..f53000803a5d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -42,9 +42,7 @@
 #include <linux/fdtable.h>
 #include <linux/namei.h>
 #include <linux/mount.h>
-#include <linux/ext2_fs.h>
 #include <linux/proc_fs.h>
-#include <linux/kd.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter_ipv6.h>
 #include <linux/tty.h>
@@ -2903,46 +2901,16 @@ static void selinux_file_free_security(struct file *file)
 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
                              unsigned long arg)
 {
-        int error = 0;
+        u32 av = 0;
-        switch (cmd) {
-        case FIONREAD:
-        /* fall through */
-        case FIBMAP:
-        /* fall through */
-        case FIGETBSZ:
-        /* fall through */
-        case EXT2_IOC_GETFLAGS:
-        /* fall through */
-        case EXT2_IOC_GETVERSION:
-                error = file_has_perm(current, file, FILE__GETATTR);
-                break;
-        case EXT2_IOC_SETFLAGS:
-        /* fall through */
-        case EXT2_IOC_SETVERSION:
-                error = file_has_perm(current, file, FILE__SETATTR);
-                break;
-        /* sys_ioctl() checks */
-        case FIONBIO:
-        /* fall through */
-        case FIOASYNC:
-                error = file_has_perm(current, file, 0);
-                break;
-        case KDSKBENT:
+        if (_IOC_DIR(cmd) & _IOC_WRITE)
-        case KDSKBSENT:
+                av |= FILE__WRITE;
-                error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
+        if (_IOC_DIR(cmd) & _IOC_READ)
-                break;
+                av |= FILE__READ;
+        if (!av)
+                av = FILE__IOCTL;
-        /* default case assumes that the command will go
+        return file_has_perm(current, file, av);
-         * to the file's ioctl() function.
-         */
-        default:
-                error = file_has_perm(current, file, FILE__IOCTL);
-        }
-        return error;
 }
 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 91b666aec452..f53000803a5d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -42,9 +42,7 @@
42	#include <linux/fdtable.h>	42	#include <linux/fdtable.h>
43	#include <linux/namei.h>	43	#include <linux/namei.h>
44	#include <linux/mount.h>	44	#include <linux/mount.h>
45	#include <linux/ext2_fs.h>
46	#include <linux/proc_fs.h>	45	#include <linux/proc_fs.h>
47	#include <linux/kd.h>
48	#include <linux/netfilter_ipv4.h>	46	#include <linux/netfilter_ipv4.h>
49	#include <linux/netfilter_ipv6.h>	47	#include <linux/netfilter_ipv6.h>
50	#include <linux/tty.h>	48	#include <linux/tty.h>
@@ -2903,46 +2901,16 @@ static void selinux_file_free_security(struct file *file)
2903	static int selinux_file_ioctl(struct file *file, unsigned int cmd,	2901	static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2904	unsigned long arg)	2902	unsigned long arg)
2905	{	2903	{
2906	int error = 0;	2904	u32 av = 0;
2907
2908	switch (cmd) {
2909	case FIONREAD:
2910	/* fall through */
2911	case FIBMAP:
2912	/* fall through */
2913	case FIGETBSZ:
2914	/* fall through */
2915	case EXT2_IOC_GETFLAGS:
2916	/* fall through */
2917	case EXT2_IOC_GETVERSION:
2918	error = file_has_perm(current, file, FILE__GETATTR);
2919	break;
2920
2921	case EXT2_IOC_SETFLAGS:
2922	/* fall through */
2923	case EXT2_IOC_SETVERSION:
2924	error = file_has_perm(current, file, FILE__SETATTR);
2925	break;
2926
2927	/* sys_ioctl() checks */
2928	case FIONBIO:
2929	/* fall through */
2930	case FIOASYNC:
2931	error = file_has_perm(current, file, 0);
2932	break;
2933		2905
2934	case KDSKBENT:	2906	if (_IOC_DIR(cmd) & _IOC_WRITE)
2935	case KDSKBSENT:	2907	av \|= FILE__WRITE;
2936	error = task_has_capability(current, CAP_SYS_TTY_CONFIG);	2908	if (_IOC_DIR(cmd) & _IOC_READ)
2937	break;	2909	av \|= FILE__READ;
		2910	if (!av)
		2911	av = FILE__IOCTL;
2938		2912
2939	/* default case assumes that the command will go	2913	return file_has_perm(current, file, av);
2940	* to the file's ioctl() function.
2941	*/
2942	default:
2943	error = file_has_perm(current, file, FILE__IOCTL);
2944	}
2945	return error;
2946	}	2914	}
2947		2915
2948	static int file_map_prot_check(struct file *file, unsigned long prot, int shared)	2916	static int file_map_prot_check(struct file *file, unsigned long prot, int shared)