On Fri, Feb 25, 2022 at 12:54 PM Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> wrote: > > These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux > always allows too. Furthermore, a failed FIOCLEX could result in a file > descriptor being leaked to a process that should not have access to it. > > As this patch removes access controls, a policy capability needs to be > enabled in policy to always allow these ioctls. > > Based-on-patch-by: Demi Marie Obenour <demiobenour@xxxxxxxxx> > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > --- > V2 Change: Control via a policy capability. > V3 Change: Update switch check. > V4 Change: Use POLICYDB_CAPABILITY_IOCTL_SKIP_CLOEXEC > > security/selinux/hooks.c | 6 ++++++ > security/selinux/include/policycap.h | 1 + > security/selinux/include/policycap_names.h | 3 ++- > security/selinux/include/security.h | 7 +++++++ > 4 files changed, 16 insertions(+), 1 deletion(-) Merged into selinux/next, thanks everyone! -- paul-moore.com
