projects / platform / kernel / linux-rpi.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e48c260) | patch
selinux: allow FIOCLEX and FIONCLEX with policy capability
authorRichard Haines <richard_c_haines@btinternet.com>
Fri, 25 Feb 2022 17:54:38 +0000 (17:54 +0000)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 8 Apr 2022 12:23:55 +0000 (14:23 +0200)
commit55d192691b4b7063166e7feafbe44db24dbe205c
tree95558d2079aba62fdad9c248044b39845eb2ea5btree | snapshot
parente48c260b0b2a145d93dba2b613d10fcf2179473ecommit | diff
selinux: allow FIOCLEX and FIONCLEX with policy capability

[ Upstream commit 65881e1db4e948614d9eb195b8e1197339822949 ]

These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux
always allows too.  Furthermore, a failed FIOCLEX could result in a file
descriptor being leaked to a process that should not have access to it.

As this patch removes access controls, a policy capability needs to be
enabled in policy to always allow these ioctls.

Based-on-patch-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
security/selinux/hooks.c diff | blob | history
security/selinux/include/policycap.h diff | blob | history
security/selinux/include/policycap_names.h diff | blob | history
security/selinux/include/security.h diff | blob | history
Domain: System / Kernel;