Re: [PATCH V4] security/selinux: Always allow FIOCLEX and FIONCLEX

From: Paul Moore
Date: Fri Feb 25 2022 - 15:46:52 EST

Next message: Qian Cai: "Re: [PATCH v6 00/71] Introducing the Maple Tree"
Previous message: Kuogee Hsieh: "[PATCH v11 4/4] drm/msm/dp: enable widebus feature for display port"
In reply to: Richard Haines: "[PATCH V4] security/selinux: Always allow FIOCLEX and FIONCLEX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 25, 2022 at 12:54 PM Richard Haines
<richard_c_haines@xxxxxxxxxxxxxx> wrote:
>
> These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux
> always allows too. Furthermore, a failed FIOCLEX could result in a file
> descriptor being leaked to a process that should not have access to it.
>
> As this patch removes access controls, a policy capability needs to be
> enabled in policy to always allow these ioctls.
>
> Based-on-patch-by: Demi Marie Obenour <demiobenour@xxxxxxxxx>
> Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> ---
> V2 Change: Control via a policy capability.
> V3 Change: Update switch check.
> V4 Change: Use POLICYDB_CAPABILITY_IOCTL_SKIP_CLOEXEC
>
> security/selinux/hooks.c | 6 ++++++
> security/selinux/include/policycap.h | 1 +
> security/selinux/include/policycap_names.h | 3 ++-
> security/selinux/include/security.h | 7 +++++++
> 4 files changed, 16 insertions(+), 1 deletion(-)

Merged into selinux/next, thanks everyone!

--
paul-moore.com

Next message: Qian Cai: "Re: [PATCH v6 00/71] Introducing the Maple Tree"
Previous message: Kuogee Hsieh: "[PATCH v11 4/4] drm/msm/dp: enable widebus feature for display port"
In reply to: Richard Haines: "[PATCH V4] security/selinux: Always allow FIOCLEX and FIONCLEX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]