Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / b983b2a5969c9ee4e2ec73ff3444ec6814441cb8
commitb983b2a5969c9ee4e2ec73ff3444ec6814441cb8[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Fri May 12 12:41:24 2017 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Fri Apr 13 19:48:04 2018 +0200
tree7b06005a316980f3d7f299f3e2deeb3d1d1d0e82
parent2c582b6bac13e495d6c14fdd1f866b93ff90cddc [diff]
selinux: do not check open permission on sockets


[ Upstream commit ccb544781d34afdb73a9a73ae53035d824d193bf ]

open permission is currently only defined for files in the kernel
(COMMON_FILE_PERMS rather than COMMON_FILE_SOCK_PERMS). Construction of
an artificial test case that tries to open a socket via /proc/pid/fd will
generate a recvfrom avc denial because recvfrom and open happen to map to
the same permission bit in socket vs file classes.

open of a socket via /proc/pid/fd is not supported by the kernel regardless
and will ultimately return ENXIO. But we hit the permission check first and
can thus produce these odd/misleading denials.  Omit the open check when
operating on a socket.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: 7b06005a316980f3d7f299f3e2deeb3d1d1d0e82
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS