[PATCH] Reduce SELinux check on KDSKBENT/SENT ioctls

From: Stephen Smalley <sds@epoch.ncsc.mil> This patch reduces the full capability check in the SELinux module for the KDSKBENT/SENT ioctls to only check the corresponding SELinux permission, avoiding a change to the Linux permissions model for these operations.
author: Andrew Morton <akpm@osdl.org> 2003-12-29 23:42:55 -0800
committer: Linus Torvalds <torvalds@home.osdl.org> 2003-12-29 23:42:55 -0800
commit: 38181ac4b92c29575c5c5fcce8cf9fcf76785ed1 (patch)
tree: 0413e2686c8e31a84914e3a5dad2b730d5170264
parent: f1f4662e222e469de9b5bbd77fbaa025236a5746 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e9301f2b0dca..34bcfcc7aaa9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1992,8 +1992,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
 
 	        case KDSKBENT:
 	        case KDSKBSENT:
-		  	if (!capable(CAP_SYS_TTY_CONFIG))
-				error = -EPERM;
+			error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
 			break;
 
 		/* default case assumes that the command will go
author	Andrew Morton <akpm@osdl.org>	2003-12-29 23:42:55 -0800
committer	Linus Torvalds <torvalds@home.osdl.org>	2003-12-29 23:42:55 -0800
commit	38181ac4b92c29575c5c5fcce8cf9fcf76785ed1 (patch)
tree	0413e2686c8e31a84914e3a5dad2b730d5170264
parent	f1f4662e222e469de9b5bbd77fbaa025236a5746 (diff)