[PATCH -v3 4/4] SELinux: use new cap_noaudit interface

From: Eric Paris
Date: Fri Nov 07 2008 - 10:24:45 EST

Next message: David Howells: "Re: [PATCH 04/10] frv: use the new byteorder headers"
Previous message: Eric Paris: "[PATCH -v3 3/4] filesystems: use has_capability_noaudit interface forreserved blocks checks"
In reply to: Eric Paris: "[PATCH -v3 3/4] filesystems: use has_capability_noaudit interface forreserved blocks checks"
Next in thread: Stephen Smalley: "Re: [PATCH -v3 4/4] SELinux: use new cap_noaudit interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Currently SELinux jumps through some ugly hoops to not audit a capbility
check when determining if a process has additional powers to override
memory limits or when trying to read/write illegal file labels. Use
the new noaudit call instead.

Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---

security/selinux/hooks.c | 19 ++-----------------
1 files changed, 2 insertions(+), 17 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0d4ee8c..d3fd051 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1978,16 +1978,8 @@ static int selinux_syslog(int type)
static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
{
int rc, cap_sys_admin = 0;
- struct task_security_struct *tsec = current->security;
-
- rc = secondary_ops->capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
- if (rc == 0)
- rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
- SECCLASS_CAPABILITY,
- CAP_TO_MASK(CAP_SYS_ADMIN),
- 0,
- NULL);

+ rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
if (rc == 0)
cap_sys_admin = 1;

@@ -2812,7 +2804,6 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
u32 size;
int error;
char *context = NULL;
- struct task_security_struct *tsec = current->security;
struct inode_security_struct *isec = inode->i_security;

if (strcmp(name, XATTR_SELINUX_SUFFIX))
@@ -2827,13 +2818,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
* and lack of permission just means that we fall back to the
* in-core context value, not a denial.
*/
- error = secondary_ops->capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
- if (!error)
- error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
- SECCLASS_CAPABILITY2,
- CAPABILITY2__MAC_ADMIN,
- 0,
- NULL);
+ error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
if (!error)
error = security_sid_to_context_force(isec->sid, &context,
&size);

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Howells: "Re: [PATCH 04/10] frv: use the new byteorder headers"
Previous message: Eric Paris: "[PATCH -v3 3/4] filesystems: use has_capability_noaudit interface forreserved blocks checks"
In reply to: Eric Paris: "[PATCH -v3 3/4] filesystems: use has_capability_noaudit interface forreserved blocks checks"
Next in thread: Stephen Smalley: "Re: [PATCH -v3 4/4] SELinux: use new cap_noaudit interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]