summaryrefslogtreecommitdiff
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2018-12-12 18:10:55 +0300
committerPaul Moore <paul@paul-moore.com>2019-01-11 04:32:53 +0300
commit3a28cff3bd4bf43f02be0c4e7933aebf3dc8197e (patch)
tree64f75c4103e27e02a5edf203bf5f8a1a420ab1e8 /security/selinux/hooks.c
parentbfeffd155283772bbe78c6a05dec7c0128ee500c (diff)
downloadlinux-3a28cff3bd4bf43f02be0c4e7933aebf3dc8197e.tar.xz
selinux: avoid silent denials in permissive mode under RCU walk
commit 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe") results in no audit messages at all if in permissive mode because the cache is updated during the rcu walk and thus no denial occurs on the subsequent ref walk. Fix this by not updating the cache when performing a non-blocking permission check. This only affects search and symlink read checks during rcu walk. Fixes: 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe") Reported-by: BMK <bmktuwien@gmail.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f0e36c3492ba..7f6068489a02 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2982,7 +2982,9 @@ static int selinux_inode_permission(struct inode *inode, int mask)
return PTR_ERR(isec);
rc = avc_has_perm_noaudit(&selinux_state,
- sid, isec->sid, isec->sclass, perms, 0, &avd);
+ sid, isec->sid, isec->sclass, perms,
+ (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
+ &avd);
audited = avc_audit_required(perms, &avd, rc,
from_access ? FILE__AUDIT_ACCESS : 0,
&denied);