Re: [PATCH -v3 4/4] SELinux: use new cap_noaudit interface

From: Stephen Smalley
Date: Fri Nov 07 2008 - 10:39:58 EST

Next message: Stephen Smalley: "Re: [PATCH -v3 2/4] vm: use new has_capability_noaudit"
Previous message: Arnaldo Carvalho de Melo: "Re: [PATCH][v3] blktrace: conversion to tracepoints"
In reply to: Eric Paris: "[PATCH -v3 4/4] SELinux: use new cap_noaudit interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2008-11-07 at 10:23 -0500, Eric Paris wrote:
> Currently SELinux jumps through some ugly hoops to not audit a capbility
> check when determining if a process has additional powers to override
> memory limits or when trying to read/write illegal file labels. Use
> the new noaudit call instead.
>
> Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>

Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>

> ---
>
> security/selinux/hooks.c | 19 ++-----------------
> 1 files changed, 2 insertions(+), 17 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 0d4ee8c..d3fd051 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1978,16 +1978,8 @@ static int selinux_syslog(int type)
> static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
> {
> int rc, cap_sys_admin = 0;
> - struct task_security_struct *tsec = current->security;
> -
> - rc = secondary_ops->capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
> - if (rc == 0)
> - rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
> - SECCLASS_CAPABILITY,
> - CAP_TO_MASK(CAP_SYS_ADMIN),
> - 0,
> - NULL);
>
> + rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
> if (rc == 0)
> cap_sys_admin = 1;
>
> @@ -2812,7 +2804,6 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
> u32 size;
> int error;
> char *context = NULL;
> - struct task_security_struct *tsec = current->security;
> struct inode_security_struct *isec = inode->i_security;
>
> if (strcmp(name, XATTR_SELINUX_SUFFIX))
> @@ -2827,13 +2818,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
> * and lack of permission just means that we fall back to the
> * in-core context value, not a denial.
> */
> - error = secondary_ops->capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
> - if (!error)
> - error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
> - SECCLASS_CAPABILITY2,
> - CAPABILITY2__MAC_ADMIN,
> - 0,
> - NULL);
> + error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
> if (!error)
> error = security_sid_to_context_force(isec->sid, &context,
> &size);
--
Stephen Smalley
National Security Agency

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stephen Smalley: "Re: [PATCH -v3 2/4] vm: use new has_capability_noaudit"
Previous message: Arnaldo Carvalho de Melo: "Re: [PATCH][v3] blktrace: conversion to tracepoints"
In reply to: Eric Paris: "[PATCH -v3 4/4] SELinux: use new cap_noaudit interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]