diff options
| author |   Stephen Smalley <sds@tycho.nsa.gov> | 2017-05-12 12:41:24 -0400 |
|---|---|---|
| committer |   Paul Moore <paul@paul-moore.com> | 2017-05-23 10:23:42 -0400 |
| commit | ccb544781d34afdb73a9a73ae53035d824d193bf (patch) | |
| tree | a5c7f6475061a3b42f887d43870224af13373eba /security/selinux/ss/services.c | |
| parent | selinux: add a map permission check for mmap (diff) | |
| download | linux-dev-ccb544781d34afdb73a9a73ae53035d824d193bf.tar.xz linux-dev-ccb544781d34afdb73a9a73ae53035d824d193bf.zip | |
selinux: do not check open permission on sockets
open permission is currently only defined for files in the kernel
(COMMON_FILE_PERMS rather than COMMON_FILE_SOCK_PERMS). Construction of
an artificial test case that tries to open a socket via /proc/pid/fd will
generate a recvfrom avc denial because recvfrom and open happen to map to
the same permission bit in socket vs file classes.
open of a socket via /proc/pid/fd is not supported by the kernel regardless
and will ultimately return ENXIO. But we hit the permission check first and
can thus produce these odd/misleading denials. Omit the open check when
operating on a socket.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/ss/services.c')
0 files changed, 0 insertions, 0 deletions