SELinux: check open perms in dentry_open not inode_permission (8b6a5a37) · Commits · 戴 / test

security/selinux/hooks.c

+30 −29

Original line number	Diff line number	Diff line
		@@ -1686,15 +1686,39 @@ static inline u32 file_mask_to_av(int mode, int mask)
		return av;
		}

		/* Convert a Linux file to an access vector. */
		static inline u32 file_to_av(struct file *file)
		{
		u32 av = 0;

		if (file->f_mode & FMODE_READ)
		av \|= FILE__READ;
		if (file->f_mode & FMODE_WRITE) {
		if (file->f_flags & O_APPEND)
		av \|= FILE__APPEND;
		else
		av \|= FILE__WRITE;
		}
		if (!av) {
		/*
		* Special file opened with flags 3 for ioctl-only use.
		*/
		av = FILE__IOCTL;
		}

		return av;
		}

		/*
		* Convert a file mask to an access vector and include the correct open
		* Convert a file to an access vector and include the correct open
		* open permission.
		*/
		static inline u32 open_file_mask_to_av(int mode, int mask)
		static inline u32 open_file_to_av(struct file *file)
		{
		u32 av = file_mask_to_av(mode, mask);
		u32 av = file_to_av(file);

		if (selinux_policycap_openperm) {
		mode_t mode = file->f_path.dentry->d_inode->i_mode;
		/*
		* lnk files and socks do not really have an 'open'
		*/
		@@ -1710,34 +1734,11 @@ static inline u32 open_file_mask_to_av(int mode, int mask)
		av \|= DIR__OPEN;
		else
		printk(KERN_ERR "SELinux: WARNING: inside %s with "
		"unknown mode:%x\n", __func__, mode);
		"unknown mode:%o\n", __func__, mode);
		}
		return av;
		}

		/* Convert a Linux file to an access vector. */
		static inline u32 file_to_av(struct file *file)
		{
		u32 av = 0;

		if (file->f_mode & FMODE_READ)
		av \|= FILE__READ;
		if (file->f_mode & FMODE_WRITE) {
		if (file->f_flags & O_APPEND)
		av \|= FILE__APPEND;
		else
		av \|= FILE__WRITE;
		}
		if (!av) {
		/*
		* Special file opened with flags 3 for ioctl-only use.
		*/
		av = FILE__IOCTL;
		}

		return av;
		}

		/* Hook functions begin here. */

		static int selinux_ptrace_may_access(struct task_struct *child,
		@@ -2654,7 +2655,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
		}

		return inode_has_perm(current, inode,
		open_file_mask_to_av(inode->i_mode, mask), NULL);
		file_mask_to_av(inode->i_mode, mask), NULL);
		}

		static int selinux_inode_setattr(struct dentry dentry, struct iattr iattr)
		@@ -3170,7 +3171,7 @@ static int selinux_dentry_open(struct file *file)
		* new inode label or new policy.
		* This check is not redundant - do not remove.
		*/
		return inode_has_perm(current, inode, file_to_av(file), NULL);
		return inode_has_perm(current, inode, open_file_to_av(file), NULL);
		}

		/* task security operations */

Admin message