selinux: fix bug in conditional rules handling
authorStephen Smalley <sds@tycho.nsa.gov>
Mon, 23 Nov 2015 21:07:41 +0000 (16:07 -0500)
committerPaul Moore <pmoore@redhat.com>
Tue, 24 Nov 2015 18:44:32 +0000 (13:44 -0500)
commitf3bef67992e8698897b584616535803887c4a73e
tree325ba1c1ffd8bc09eddbedbecddbe50073715ee7
parent63205654c0e05e5ffa1c6eef2fbef21dcabd2185
selinux: fix bug in conditional rules handling

commit fa1aa143ac4a ("selinux: extended permissions for ioctls")
introduced a bug into the handling of conditional rules, skipping the
processing entirely when the caller does not provide an extended
permissions (xperms) structure.  Access checks from userspace using
/sys/fs/selinux/access do not include such a structure since that
interface does not presently expose extended permission information.
As a result, conditional rules were being ignored entirely on userspace
access requests, producing denials when access was allowed by
conditional rules in the policy.  Fix the bug by only skipping
computation of extended permissions in this situation, not the entire
conditional rules processing.

Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: fixed long lines in patch description]
Cc: stable@vger.kernel.org # 4.3
Signed-off-by: Paul Moore <pmoore@redhat.com>
security/selinux/ss/conditional.c