SELinux: requesting no permissions in avc_has_perm_noaudit is a BUG()
This patch turns the case where we have a call into avc_has_perm with no requested permissions into a BUG_ON. All callers to this should be in the kernel and thus should be a function we need to fix if we ever hit this. The /selinux/access permission checking it done directly in the security server and not through the avc, so those requests which we cannot control from userspace should not be able to trigger this BUG_ON. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Eric Paris
James Morris
parent
f0115e6c89
commit
eda4f69ca5
1 changed files with 3 additions and 1 deletions
|
|
@ -871,6 +871,8 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
|
|||
int rc = 0;
|
||||
u32 denied;
|
||||
|
||||
BUG_ON(!requested);
|
||||
|
||||
rcu_read_lock();
|
||||
|
||||
node = avc_lookup(ssid, tsid, tclass, requested);
|
||||
|
|
@ -890,7 +892,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
|
|||
|
||||
denied = requested & ~(p_ae->avd.allowed);
|
||||
|
||||
if (!requested || denied) {
|
||||
if (denied) {
|
||||
if (selinux_enforcing || (flags & AVC_STRICT))
|
||||
rc = -EACCES;
|
||||
else
|
||||
|
|
|
|||
Loading…
Reference in a new issue