Commit 44d37ad3 authored by Jeff Vander Stoep's avatar Jeff Vander Stoep Committed by Paul Moore
Browse files

selinux: do not check open perm on ftruncate call 



Use the ATTR_FILE attribute to distinguish between truncate()
and ftruncate() system calls. The two other cases where
do_truncate is called with a filp (and therefore ATTR_FILE is set)
are for coredump files and for open(O_TRUNC). In both of those cases
the open permission has already been checked during file open and
therefore does not need to be repeated.

Commit 95dbf739 ("SELinux: check OPEN on truncate calls")
fixed a major issue where domains were allowed to truncate files
without the open permission. However, it introduced a new bug where
a domain with the write permission can no longer ftruncate files
without the open permission, even when they receive an already open
file.

Signed-off-by: default avatarJeff Vander Stoep <jeffv@google.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
parent 2a35d196

security/selinux/hooks.c

+2 −1
Original line number Diff line number Diff line
@@ -2946,7 +2946,8 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 
			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))

		return dentry_has_perm(cred, dentry, FILE__SETATTR);



	if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))

	if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)

			&& !(ia_valid & ATTR_FILE))

		av |= FILE__OPEN;



	return dentry_has_perm(cred, dentry, av);

CRA Git | Maintained and supported by SUSTech CRA and CCSE