linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH][SELINUX] Revalidate access to controlling tty
@ 2004-08-16 16:27 Stephen Smalley
  0 siblings, 0 replies; only message in thread
From: Stephen Smalley @ 2004-08-16 16:27 UTC (permalink / raw)
  To: Andrew Morton, James Morris, lkml, Chris Wright

This patch changes the SELinux flush_unauthorized_files function to also
recheck access to the controlling tty and reset it if it is no longer
accessible under the new security context.  This patch is relative to the
selinuxfs devnull patch.  Please apply.

Signed-off-by:  Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by:  James Morris <jmorris@redhat.com>

 security/selinux/hooks.c |   25 +++++++++++++++++++++++++
 1 files changed, 25 insertions(+)

diff -X /home/sds/dontdiff -ru linux-2.6.8.old/security/selinux/hooks.c linux-2.6.8/security/selinux/hooks.c
--- linux-2.6.8.old/security/selinux/hooks.c	2004-08-05 11:03:54.362725160 -0400
+++ linux-2.6.8/security/selinux/hooks.c	2004-08-05 11:04:04.038254256 -0400
@@ -43,6 +43,7 @@
 #include <linux/kd.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter_ipv6.h>
+#include <linux/tty.h>
 #include <net/icmp.h>
 #include <net/ip.h>		/* for sysctl_local_port_range[] */
 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
@@ -1733,8 +1734,32 @@
 {
 	struct avc_audit_data ad;
 	struct file *file, *devnull = NULL;
+	struct tty_struct *tty = current->signal->tty;
 	long j = -1;
 
+	if (tty) {
+		file_list_lock();
+		file = list_entry(tty->tty_files.next, typeof(*file), f_list);
+		if (file) {
+			/* Revalidate access to controlling tty.
+			   Use inode_has_perm on the tty inode directly rather
+			   than using file_has_perm, as this particular open
+			   file may belong to another process and we are only
+			   interested in the inode-based check here. */
+			struct inode *inode = file->f_dentry->d_inode;
+			if (inode_has_perm(current, inode, 
+					   FILE__READ | FILE__WRITE, 
+					   NULL, NULL)) {
+				/* Reset controlling tty. */
+				current->signal->tty = NULL;
+				current->signal->tty_old_pgrp = 0;
+			}
+		}
+		file_list_unlock();
+	}
+
+	/* Revalidate access to inherited open files. */
+
 	AVC_AUDIT_DATA_INIT(&ad,FS);
 
 	spin_lock(&files->file_lock);

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2004-08-16 16:28 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-08-16 16:27 [PATCH][SELINUX] Revalidate access to controlling tty Stephen Smalley

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).