AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
8fb76adb89
kernel_optimize_test/security/selinux
History
Richard Haines 448857f580 selinux: allow FIOCLEX and FIONCLEX with policy capability 
[ Upstream commit 65881e1db4e948614d9eb195b8e1197339822949 ]

These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux
always allows too.  Furthermore, a failed FIOCLEX could result in a file
descriptor being leaked to a process that should not have access to it.

As this patch removes access controls, a policy capability needs to be
enabled in policy to always allow these ioctls.

Based-on-patch-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-04-08 14:40:31 +02:00
..
include selinux: allow FIOCLEX and FIONCLEX with policy capability 2022-04-08 14:40:31 +02:00
ss selinux: fix double free of cond_list on error paths 2022-02-08 18:30:34 +01:00
.gitignore
avc.c selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC 2021-07-19 09:44:49 +02:00
hooks.c selinux: allow FIOCLEX and FIONCLEX with policy capability 2022-04-08 14:40:31 +02:00
ibpkey.c selinux: Fix error return code in sel_ib_pkey_sid_slow() 2020-11-12 20:16:09 -05:00
Kconfig
Makefile
netif.c
netlabel.c
netlink.c
netnode.c
netport.c
nlmsgtab.c
selinuxfs.c selinux: check return value of sel_make_avc_files 2022-04-08 14:39:59 +02:00
status.c
xfrm.c selinux: use correct type for context length 2022-04-08 14:40:31 +02:00