Home
last modified time | relevance | path

Searched hist:"65881 e1db4e948614d9eb195b8e1197339822949" (Results 1 – 4 of 4) sorted by relevance

/linux/security/selinux/include/
H A Dpolicycap.hdiff 65881e1db4e948614d9eb195b8e1197339822949 Fri Feb 25 18:54:38 CET 2022 Richard Haines <richard_c_haines@btinternet.com> selinux: allow FIOCLEX and FIONCLEX with policy capability

These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux
always allows too. Furthermore, a failed FIOCLEX could result in a file
descriptor being leaked to a process that should not have access to it.

As this patch removes access controls, a policy capability needs to be
enabled in policy to always allow these ioctls.

Based-on-patch-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
H A Dpolicycap_names.hdiff 65881e1db4e948614d9eb195b8e1197339822949 Fri Feb 25 18:54:38 CET 2022 Richard Haines <richard_c_haines@btinternet.com> selinux: allow FIOCLEX and FIONCLEX with policy capability

These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux
always allows too. Furthermore, a failed FIOCLEX could result in a file
descriptor being leaked to a process that should not have access to it.

As this patch removes access controls, a policy capability needs to be
enabled in policy to always allow these ioctls.

Based-on-patch-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
H A Dsecurity.hdiff 65881e1db4e948614d9eb195b8e1197339822949 Fri Feb 25 18:54:38 CET 2022 Richard Haines <richard_c_haines@btinternet.com> selinux: allow FIOCLEX and FIONCLEX with policy capability

These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux
always allows too. Furthermore, a failed FIOCLEX could result in a file
descriptor being leaked to a process that should not have access to it.

As this patch removes access controls, a policy capability needs to be
enabled in policy to always allow these ioctls.

Based-on-patch-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
/linux/security/selinux/
H A Dhooks.cdiff 65881e1db4e948614d9eb195b8e1197339822949 Fri Feb 25 18:54:38 CET 2022 Richard Haines <richard_c_haines@btinternet.com> selinux: allow FIOCLEX and FIONCLEX with policy capability

These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux
always allows too. Furthermore, a failed FIOCLEX could result in a file
descriptor being leaked to a process that should not have access to it.

As this patch removes access controls, a policy capability needs to be
enabled in policy to always allow these ioctls.

Based-on-patch-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>