projects / linux-block.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b97df7c) | patch
selinux: allow FIOCLEX and FIONCLEX with policy capability
authorRichard Haines <richard_c_haines@btinternet.com>
Fri, 25 Feb 2022 17:54:38 +0000 (17:54 +0000)
committerPaul Moore <paul@paul-moore.com>
Fri, 25 Feb 2022 20:35:19 +0000 (15:35 -0500)
commit65881e1db4e948614d9eb195b8e1197339822949
tree5412d30772bda69f399724371c13d53cfa4c1d96tree | snapshot
parentb97df7c098c531010e445da88d02b7bf7bf59ef6commit | diff
selinux: allow FIOCLEX and FIONCLEX with policy capability

These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux
always allows too.  Furthermore, a failed FIOCLEX could result in a file
descriptor being leaked to a process that should not have access to it.

As this patch removes access controls, a policy capability needs to be
enabled in policy to always allow these ioctls.

Based-on-patch-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
security/selinux/hooks.c diff | blob | blame | history
security/selinux/include/policycap.h diff | blob | blame | history
security/selinux/include/policycap_names.h diff | blob | blame | history
security/selinux/include/security.h diff | blob | blame | history
Linux 6.x block layer and io_uring tree(s)