On Wed, 2007-02-07 at 15:21 -0700, Eric W. Biederman wrote: > Stephen Smalley <[EMAIL PROTECTED]> writes: > > > Actually, on further inspection, it looks like the real issue is the > > "path" name generation; "cat /proc/sys/kernel/modprobe" yields a call to > > security_genfs_sid() with just "/modprobe" rather than the expected > > "/sys/kernel/modprobe". Which likewise leaves us with the generic proc > > label, just as with the inode permission check, so I end up seeing > > checks against it only. > > Ok. It looks like two silly thing are going on here. > I failed to register the root sysctl table, so none of the parent > pointers got set. > > I didn't prepend /sys in the compatibility code, so for something with > the parent pointers set you would have gotten "/kernel/modprobe" instead > of /sys/kernel/modprobe" > > Sorry about that. > > I think the patch below will fix it.
Yes, thanks - this appears to correct the name generation and thus the resulting SID computation for the selinux sysctl checks. > Eric > > diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h > index 24f36f1..f316854 100644 > --- a/include/linux/sysctl.h > +++ b/include/linux/sysctl.h > @@ -929,8 +929,6 @@ extern struct ctl_table_header *sysctl_head_next(struct > ctl_table_header *prev); > extern void sysctl_head_finish(struct ctl_table_header *prev); > extern int sysctl_perm(struct ctl_table *table, int op); > > -extern void sysctl_init(void); > - > typedef struct ctl_table ctl_table; > > typedef int ctl_handler (ctl_table *table, int __user *name, int nlen, > diff --git a/kernel/sysctl.c b/kernel/sysctl.c > index 0a5499f..0bb2c5f 100644 > --- a/kernel/sysctl.c > +++ b/kernel/sysctl.c > @@ -1241,6 +1241,14 @@ static void sysctl_set_parent(struct ctl_table > *parent, struct ctl_table *table) > } > } > > +static __init int sysctl_init(void) > +{ > + sysctl_set_parent(NULL, root_table); > + return 0; > +} > + > +core_initcall(sysctl_init); > + > /** > * register_sysctl_table - register a sysctl hierarchy > * @table: the top-level table structure > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index c17a8dd..aad2697 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -1452,6 +1452,12 @@ static int selinux_sysctl_get_sid(ctl_table *table, > u16 tclass, u32 *sid) > path = end; > table = table->parent; > } > + buflen -= 4; > + if (buflen < 0) > + goto out_free; > + end -= 4; > + memcpy(end, "/sys", 4); > + path = end; > rc = security_genfs_sid("proc", path, tclass, sid); > out_free: > free_page((unsigned long)buffer); > -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/