kernel_optimize_test/security/selinux/ss
Stephen Smalley f3bef67992 selinux: fix bug in conditional rules handling
commit fa1aa143ac ("selinux: extended permissions for ioctls")
introduced a bug into the handling of conditional rules, skipping the
processing entirely when the caller does not provide an extended
permissions (xperms) structure.  Access checks from userspace using
/sys/fs/selinux/access do not include such a structure since that
interface does not presently expose extended permission information.
As a result, conditional rules were being ignored entirely on userspace
access requests, producing denials when access was allowed by
conditional rules in the policy.  Fix the bug by only skipping
computation of extended permissions in this situation, not the entire
conditional rules processing.

Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: fixed long lines in patch description]
Cc: stable@vger.kernel.org # 4.3
Signed-off-by: Paul Moore <pmoore@redhat.com>
2015-11-24 13:44:32 -05:00
..
avtab.c selinux: extended permissions for ioctls 2015-07-13 13:31:58 -04:00
avtab.h selinux: extended permissions for ioctls 2015-07-13 13:31:58 -04:00
conditional.c selinux: fix bug in conditional rules handling 2015-11-24 13:44:32 -05:00
conditional.h selinux: extended permissions for ioctls 2015-07-13 13:31:58 -04:00
constraint.h
context.h
ebitmap.c selinux: don't waste ebitmap space when importing NetLabel categories 2015-07-09 14:20:36 -04:00
ebitmap.h
hashtab.c
hashtab.h
mls_types.h
mls.c
mls.h
policydb.c selinux: extended permissions for ioctls 2015-07-13 13:31:58 -04:00
policydb.h
services.c selinux: use sprintf return value 2015-10-21 17:44:27 -04:00
services.h selinux: extended permissions for ioctls 2015-07-13 13:31:58 -04:00
sidtab.c
sidtab.h
status.c
symtab.c
symtab.h