[PATCH] SELinux: fix selinux_setprocattr

This patch changes the selinux_setprocattr hook function (which handles
writes to nodes in the /proc/pid/attr directory) to ignore an optional
terminating newline at the end of the value, and to handle a value
beginning with a newline or a null in the same manner as a zero length
value (clearing the attribute for the process and resetting it to using the
default policy behavior).  This change is to address the divergence from
POSIX in the existing API, as POSIX says that write(2) with a zero count
will return zero with no other effect, as well as to simplify use of the
API from scripts (although that isn't recommended).

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by:  James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

1 files changed, 6 insertions, 2 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 575eeb935913..63e47c020a0f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4106,6 +4106,7 @@ static int selinux_setprocattr(struct task_struct *p,
 	struct task_security_struct *tsec;
 	u32 sid = 0;
 	int error;
+	char *str = value;
 
 	if (current != p) {
 		/* SELinux only allows a process to change its own
@@ -4130,8 +4131,11 @@ static int selinux_setprocattr(struct task_struct *p,
 		return error;
 
 	/* Obtain a SID for the context, if one was specified. */
-	if (size) {
-		int error;
+	if (size && str[1] && str[1] != '\n') {
+		if (str[size-1] == '\n') {
+			str[size-1] = 0;
+			size--;
+		}
 		error = security_context_to_sid(value, size, &sid);
 		if (error)
 			return error;