diff options
| author | Ondrej Mosnacek <omosnace@redhat.com> | 2019-06-12 10:12:26 +0200 | 
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2019-06-12 16:04:05 -0400 | 
| commit | 464c258aa45b09f16aa0f05847ed8895873262d9 (patch) | |
| tree | c00d9804a2c75ee26316361269ddeaa85be9229a /security/selinux/hooks.c | |
| parent | beee56f3543ae688f7b3f65a5e234b59856eff48 (diff) | |
selinux: fix empty write to keycreate file
When sid == 0 (we are resetting keycreate_sid to the default value), we
should skip the KEY__CREATE check.
Before this patch, doing a zero-sized write to /proc/self/keycreate
would check if the current task can create unlabeled keys (which would
usually fail with -EACCESS and generate an AVC). Now it skips the check
and correctly sets the task's keycreate_sid to 0.
Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1719067
Tested using the reproducer from the report above.
Fixes: 4eb582cf1fbd ("[PATCH] keys: add a way to store the appropriate context for newly-created keys")
Reported-by: Kir Kolyshkin <kir@sacred.ru>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 11 | 
1 files changed, 6 insertions, 5 deletions
| diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c61787b15f27..f77b314d0575 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6331,11 +6331,12 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)  	} else if (!strcmp(name, "fscreate")) {  		tsec->create_sid = sid;  	} else if (!strcmp(name, "keycreate")) { -		error = avc_has_perm(&selinux_state, -				     mysid, sid, SECCLASS_KEY, KEY__CREATE, -				     NULL); -		if (error) -			goto abort_change; +		if (sid) { +			error = avc_has_perm(&selinux_state, mysid, sid, +					     SECCLASS_KEY, KEY__CREATE, NULL); +			if (error) +				goto abort_change; +		}  		tsec->keycreate_sid = sid;  	} else if (!strcmp(name, "sockcreate")) {  		tsec->sockcreate_sid = sid; | 
