mirror of
https://github.com/adulau/aha.git
synced 2024-12-27 19:26:25 +00:00
Currently SELinux jumps through some ugly hoops to not audit a capbility
check when determining if a process has additional powers to override memory limits or when trying to read/write illegal file labels. Use the new noaudit call instead. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
a2f2945a99
commit
066746796b
1 changed files with 2 additions and 17 deletions
|
@ -1979,16 +1979,8 @@ static int selinux_syslog(int type)
|
|||
static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
|
||||
{
|
||||
int rc, cap_sys_admin = 0;
|
||||
struct task_security_struct *tsec = current->security;
|
||||
|
||||
rc = secondary_ops->capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
|
||||
if (rc == 0)
|
||||
rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
|
||||
SECCLASS_CAPABILITY,
|
||||
CAP_TO_MASK(CAP_SYS_ADMIN),
|
||||
0,
|
||||
NULL);
|
||||
|
||||
rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
|
||||
if (rc == 0)
|
||||
cap_sys_admin = 1;
|
||||
|
||||
|
@ -2820,7 +2812,6 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
|
|||
u32 size;
|
||||
int error;
|
||||
char *context = NULL;
|
||||
struct task_security_struct *tsec = current->security;
|
||||
struct inode_security_struct *isec = inode->i_security;
|
||||
|
||||
if (strcmp(name, XATTR_SELINUX_SUFFIX))
|
||||
|
@ -2835,13 +2826,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
|
|||
* and lack of permission just means that we fall back to the
|
||||
* in-core context value, not a denial.
|
||||
*/
|
||||
error = secondary_ops->capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
|
||||
if (!error)
|
||||
error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
|
||||
SECCLASS_CAPABILITY2,
|
||||
CAPABILITY2__MAC_ADMIN,
|
||||
0,
|
||||
NULL);
|
||||
error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
|
||||
if (!error)
|
||||
error = security_sid_to_context_force(isec->sid, &context,
|
||||
&size);
|
||||
|
|
Loading…
Reference in a new issue