| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhRY8+R3Tnz9TTKiP12u7Cv1QiYnKoMjrS=VkAG-DF=eWg@mail.gmail.com>
Date: Fri, 25 Feb 2022 15:46:35 -0500
From: Paul Moore <paul@...l-moore.com>
To: Richard Haines <richard_c_haines@...nternet.com>
Cc: stephen.smalley.work@...il.com, eparis@...isplace.org,
demiobenour@...il.com, selinux@...r.kernel.org,
linux-kernel@...r.kernel.org, selinux-refpolicy@...r.kernel.org,
jeffv@...gle.com
Subject: Re: [PATCH V4] security/selinux: Always allow FIOCLEX and FIONCLEX
On Fri, Feb 25, 2022 at 12:54 PM Richard Haines
<richard_c_haines@...nternet.com> wrote:
>
> These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux
> always allows too. Furthermore, a failed FIOCLEX could result in a file
> descriptor being leaked to a process that should not have access to it.
>
> As this patch removes access controls, a policy capability needs to be
> enabled in policy to always allow these ioctls.
>
> Based-on-patch-by: Demi Marie Obenour <demiobenour@...il.com>
> Signed-off-by: Richard Haines <richard_c_haines@...nternet.com>
> ---
> V2 Change: Control via a policy capability.
> V3 Change: Update switch check.
> V4 Change: Use POLICYDB_CAPABILITY_IOCTL_SKIP_CLOEXEC
>
> security/selinux/hooks.c | 6 ++++++
> security/selinux/include/policycap.h | 1 +
> security/selinux/include/policycap_names.h | 3 ++-
> security/selinux/include/security.h | 7 +++++++
> 4 files changed, 16 insertions(+), 1 deletion(-)
Merged into selinux/next, thanks everyone!
--
paul-moore.com
Powered by blists - more mailing lists