Commit 86a71dbd authored Feb 14, 2007 by Eric W. Biederman Committed by Linus Torvalds Feb 14, 2007

[PATCH] sysctl: hide the sysctl proc inodes from selinux

Since the security checks are applied on each read and write of a sysctl file,
just like they are applied when calling sys_sysctl, they are redundant on the
standard VFS constructs. Since it is difficult to compute the security labels
on the standard VFS constructs we just mark the sysctl inodes in proc private
so selinux won't even bother with them.

Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent bbaca6c2

fs/proc/proc_sysctl.c

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -47,6 +47,7 @@ static struct inode proc_sys_make_inode(struct inode dir, struct ctl_table *ta
	inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME;		inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME;
	inode->i_op = &proc_sys_inode_operations;		inode->i_op = &proc_sys_inode_operations;
	inode->i_fop = &proc_sys_file_operations;		inode->i_fop = &proc_sys_file_operations;
			inode->i_flags \|= S_PRIVATE; /* tell selinux to ignore this inode */
	proc_sys_refresh_inode(inode, table);		proc_sys_refresh_inode(inode, table);
	out:		out:
	return inode;		return inode;

Admin message