[PATCH][SELINUX] Revalidate access to controlling tty

From: Stephen Smalley
Date: Mon Aug 16 2004 - 11:29:45 EST

Next message: Stephen Smalley: "[PATCH][SELINUX] Defer inode security initialization"
Previous message: Stephen Smalley: "[PATCH][SELINUX] Add null device node to selinuxfs, removeopen_devnull"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This patch changes the SELinux flush_unauthorized_files function to also
recheck access to the controlling tty and reset it if it is no longer
accessible under the new security context. This patch is relative to the
selinuxfs devnull patch. Please apply.

Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxxx>
Signed-off-by: James Morris <jmorris@xxxxxxxxxx>

security/selinux/hooks.c | 25 +++++++++++++++++++++++++
1 files changed, 25 insertions(+)

diff -X /home/sds/dontdiff -ru linux-2.6.8.old/security/selinux/hooks.c linux-2.6.8/security/selinux/hooks.c
--- linux-2.6.8.old/security/selinux/hooks.c 2004-08-05 11:03:54.362725160 -0400
+++ linux-2.6.8/security/selinux/hooks.c 2004-08-05 11:04:04.038254256 -0400
@@ -43,6 +43,7 @@
#include <linux/kd.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
+#include <linux/tty.h>
#include <net/icmp.h>
#include <net/ip.h> /* for sysctl_local_port_range[] */
#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
@@ -1733,8 +1734,32 @@
{
struct avc_audit_data ad;
struct file *file, *devnull = NULL;
+ struct tty_struct *tty = current->signal->tty;
long j = -1;

+ if (tty) {
+ file_list_lock();
+ file = list_entry(tty->tty_files.next, typeof(*file), f_list);
+ if (file) {
+ /* Revalidate access to controlling tty.
+ Use inode_has_perm on the tty inode directly rather
+ than using file_has_perm, as this particular open
+ file may belong to another process and we are only
+ interested in the inode-based check here. */
+ struct inode *inode = file->f_dentry->d_inode;
+ if (inode_has_perm(current, inode,
+ FILE__READ | FILE__WRITE,
+ NULL, NULL)) {
+ /* Reset controlling tty. */
+ current->signal->tty = NULL;
+ current->signal->tty_old_pgrp = 0;
+ }
+ }
+ file_list_unlock();
+ }
+
+ /* Revalidate access to inherited open files. */
+
AVC_AUDIT_DATA_INIT(&ad,FS);

spin_lock(&files->file_lock);

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stephen Smalley: "[PATCH][SELINUX] Defer inode security initialization"
Previous message: Stephen Smalley: "[PATCH][SELINUX] Add null device node to selinuxfs, removeopen_devnull"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]