SELinux: requesting no permissions in avc_has_perm_noaudit is a BUG()

This patch turns the case where we have a call into avc_has_perm with no requested permissions into a BUG_ON. All callers to this should be in the kernel and thus should be a function we need to fix if we ever hit this. The /selinux/access permission checking it done directly in the security server and not through the avc, so those requests which we cannot control from userspace should not be able to trigger this BUG_ON. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
author: Eric Paris <eparis@redhat.com> 2008-03-11 14:19:34 -0400
committer: James Morris <jmorris@namei.org> 2008-04-18 20:26:09 +1000
commit: eda4f69ca5a532b425db5a6c2c6bc50717b9b5fe (patch)
tree: 09b74e5637218c64588e523d6d264fae0b9cb771 /security/selinux/avc.c
parent: f0115e6c8980ea9125a17858291c90ecd990bc1c (diff)
download: linux-eda4f69ca5a532b425db5a6c2c6bc50717b9b5fe.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 187964e88af1..cb3f0ce0b00a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -871,6 +871,8 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
 	int rc = 0;
 	u32 denied;
 
+	BUG_ON(!requested);
+
 	rcu_read_lock();
 
 	node = avc_lookup(ssid, tsid, tclass, requested);
@@ -890,7 +892,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
 
 	denied = requested & ~(p_ae->avd.allowed);
 
-	if (!requested || denied) {
+	if (denied) {
 		if (selinux_enforcing || (flags & AVC_STRICT))
 			rc = -EACCES;
 		else
author	Eric Paris <eparis@redhat.com>	2008-03-11 14:19:34 -0400
committer	James Morris <jmorris@namei.org>	2008-04-18 20:26:09 +1000
commit	eda4f69ca5a532b425db5a6c2c6bc50717b9b5fe (patch)
tree	09b74e5637218c64588e523d6d264fae0b9cb771 /security/selinux/avc.c
parent	f0115e6c8980ea9125a17858291c90ecd990bc1c (diff)
download	linux-eda4f69ca5a532b425db5a6c2c6bc50717b9b5fe.tar.gz