As suggested by OGAWA Hirofumi in thread: http://lkml.org/lkml/2009/8/7/132, we should let selinux_inode_setattr() to match our ATTR_* rules. ATTR_FORCE should not force things like ATTR_SIZE. Cc: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx> Cc: Stephen Smalley <sds@xxxxxxxxxxxxx> Cc: Eric Paris <eparis@xxxxxxxxxx> Signed-off-by: WANG Cong <amwang@xxxxxxxxxx> --- diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1e8cfc4..3ee3365 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2708,18 +2708,24 @@ static int selinux_inode_permission(struct inode *inode, int mask) file_mask_to_av(inode->i_mode, mask), NULL); } +#define SELINUX_FORCED_MASK (ATTR_MODE | ATTR_UID | ATTR_GID | \ + ATTR_ATIME_SET | ATTR_MTIME_SET) static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) { const struct cred *cred = current_cred(); + unsigned int ia_valid = iattr->ia_valid; + int err = 0; - if (iattr->ia_valid & ATTR_FORCE) - return 0; - - if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | - ATTR_ATIME_SET | ATTR_MTIME_SET)) - return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR); - - return dentry_has_perm(cred, NULL, dentry, FILE__WRITE); + if ((ia_valid & ATTR_FORCE) && (ia_valid & SELINUX_FORCED_MASK)) { + err = dentry_has_perm(cred, NULL, dentry, FILE__SETATTR); + if (err) + return err; + ia_valid &= ~SELINUX_FORCED_MASK; + ia_valid &= ~ATTR_FORCE; + } + if (ia_valid) + err = dentry_has_perm(cred, NULL, dentry, FILE__WRITE); + return err; } static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html