mirror of
https://github.com/adulau/aha.git
synced 2024-12-29 12:16:20 +00:00
SELinux: enable processes with mac_admin to get the raw inode contexts
Enable processes with CAP_MAC_ADMIN + mac_admin permission in policy to get undefined contexts on inodes. This extends the support for deferred mapping of security contexts in order to permit restorecon and similar programs to see the raw file contexts unknown to the system policy in order to check them. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
006ebb40d3
commit
abc69bb633
1 changed files with 23 additions and 4 deletions
|
@ -2754,9 +2754,7 @@ static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copy the in-core inode security context value to the user. If the
|
* Copy the inode security context value to the user.
|
||||||
* getxattr() prior to this succeeded, check to see if we need to
|
|
||||||
* canonicalize the value to be finally returned to the user.
|
|
||||||
*
|
*
|
||||||
* Permission check is handled by selinux_inode_getxattr hook.
|
* Permission check is handled by selinux_inode_getxattr hook.
|
||||||
*/
|
*/
|
||||||
|
@ -2765,11 +2763,32 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
|
||||||
u32 size;
|
u32 size;
|
||||||
int error;
|
int error;
|
||||||
char *context = NULL;
|
char *context = NULL;
|
||||||
|
struct task_security_struct *tsec = current->security;
|
||||||
struct inode_security_struct *isec = inode->i_security;
|
struct inode_security_struct *isec = inode->i_security;
|
||||||
|
|
||||||
if (strcmp(name, XATTR_SELINUX_SUFFIX))
|
if (strcmp(name, XATTR_SELINUX_SUFFIX))
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If the caller has CAP_MAC_ADMIN, then get the raw context
|
||||||
|
* value even if it is not defined by current policy; otherwise,
|
||||||
|
* use the in-core value under current policy.
|
||||||
|
* Use the non-auditing forms of the permission checks since
|
||||||
|
* getxattr may be called by unprivileged processes commonly
|
||||||
|
* and lack of permission just means that we fall back to the
|
||||||
|
* in-core context value, not a denial.
|
||||||
|
*/
|
||||||
|
error = secondary_ops->capable(current, CAP_MAC_ADMIN);
|
||||||
|
if (!error)
|
||||||
|
error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
|
||||||
|
SECCLASS_CAPABILITY2,
|
||||||
|
CAPABILITY2__MAC_ADMIN,
|
||||||
|
0,
|
||||||
|
NULL);
|
||||||
|
if (!error)
|
||||||
|
error = security_sid_to_context_force(isec->sid, &context,
|
||||||
|
&size);
|
||||||
|
else
|
||||||
error = security_sid_to_context(isec->sid, &context, &size);
|
error = security_sid_to_context(isec->sid, &context, &size);
|
||||||
if (error)
|
if (error)
|
||||||
return error;
|
return error;
|
||||||
|
|
Loading…
Reference in a new issue