[PATCH 59/73] libselinux: take security_deny_unknown into account

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Tue, 27 Mar 2012 11:37:11 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


   This patch looks good to me. acked.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9x3qcACgkQrlYvE4MpobPMHQCfQNYb92qZUhdHdqixuvci1j7k
x38An0SShIol3KqjISaujnpn1gZa7fhA
=B990
-----END PGP SIGNATURE-----
>From 7e8b5ab25797271cd3eb45f4dc14dc4be0f15d6d Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Fri, 16 Mar 2012 11:05:17 -0400
Subject: [PATCH 59/73] libselinux: take security_deny_unknown into account

selinux_check_access() should not error on bad class or perms if the
security_deny_unkown() function return false.  If policy tells us to
allow unknown classes and perms we should respect that.

Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
 libselinux/src/checkAccess.c |   40 +++++++++++++++++++++++++++++-----------
 1 file changed, 29 insertions(+), 11 deletions(-)

diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index 59c8abb..aaebb94 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -1,3 +1,4 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
 #include <unistd.h>
 #include <sys/types.h>
 #include <stdlib.h>
@@ -15,8 +16,7 @@ static void avc_init_once(void)
 }
 
 int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *class, const char *perm, void *aux) {
-	int status = -1;
-	int rc = -1;
+	int rc;
 	security_id_t scon_id;
 	security_id_t tcon_id;
 	security_class_t sclass;
@@ -27,15 +27,33 @@ int selinux_check_access(const security_context_t scon, const security_context_t
 
 	__selinux_once(once, avc_init_once);
 
-	if ((rc = avc_context_to_sid(scon, &scon_id)) < 0)  return rc;
-
-	if ((rc = avc_context_to_sid(tcon, &tcon_id)) < 0)  return rc;
-
-	if ((sclass = string_to_security_class(class)) == 0) return status;
-
-	if ((av = string_to_av_perm(sclass, perm)) == 0) return status;
-
-	return avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux);
+	rc = avc_context_to_sid(scon, &scon_id);
+	if (rc < 0)
+		return rc;
+
+       rc = avc_context_to_sid(tcon, &tcon_id);
+       if (rc < 0)
+	       return rc;
+
+       sclass = string_to_security_class(class);
+       if (sclass == 0) {
+	       rc = errno;
+	       if (security_deny_unknown() == 0)
+		       return 0;
+	       errno = rc;
+	       return -1;
+       }
+
+       av = string_to_av_perm(sclass, perm);
+       if (av == 0) {
+	       rc = errno;
+	       if (security_deny_unknown() == 0)
+		       return 0;
+	       errno = rc;
+	       return -1;
+       }
+
+       return avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux);
 }
 
 int selinux_check_passwd_access(access_vector_t requested)
-- 
1.7.9.3





