Skip to content
Commit f3bef679 authored by Stephen Smalley's avatar Stephen Smalley Committed by Paul Moore
Browse files

selinux: fix bug in conditional rules handling



commit fa1aa143 ("selinux: extended permissions for ioctls")
introduced a bug into the handling of conditional rules, skipping the
processing entirely when the caller does not provide an extended
permissions (xperms) structure.  Access checks from userspace using
/sys/fs/selinux/access do not include such a structure since that
interface does not presently expose extended permission information.
As a result, conditional rules were being ignored entirely on userspace
access requests, producing denials when access was allowed by
conditional rules in the policy.  Fix the bug by only skipping
computation of extended permissions in this situation, not the entire
conditional rules processing.

Reported-by: default avatarLaurent Bigonville <bigon@debian.org>
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
[PM: fixed long lines in patch description]
Cc: stable@vger.kernel.org # 4.3
Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
parent 63205654
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment