1. 25 Apr, 2011 3 commits
  2. 10 Feb, 2011 1 commit
  3. 09 Feb, 2011 1 commit
  4. 01 Feb, 2011 1 commit
    • Eric Paris's avatar
      fs/vfs/security: pass last path component to LSM on inode creation · 2a7dba39
      Eric Paris authored
      SELinux would like to implement a new labeling behavior of newly created
      inodes.  We currently label new inodes based on the parent and the creating
      process.  This new behavior would also take into account the name of the
      new object when deciding the new label.  This is not the (supposed) full path,
      just the last component of the path.
      
      This is very useful because creating /etc/shadow is different than creating
      /etc/passwd but the kernel hooks are unable to differentiate these
      operations.  We currently require that userspace realize it is doing some
      difficult operation like that and than userspace jumps through SELinux hoops
      to get things set up correctly.  This patch does not implement new
      behavior, that is obviously contained in a seperate SELinux patch, but it
      does pass the needed name down to the correct LSM hook.  If no such name
      exists it is fine to pass NULL.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      2a7dba39
  5. 17 Jan, 2011 1 commit
    • Casey Schaufler's avatar
      Subject: [PATCH] Smack: mmap controls for library containment · 7898e1f8
      Casey Schaufler authored
        In the embedded world there are often situations
        where libraries are updated from a variety of sources,
        for a variety of reasons, and with any number of
        security characteristics. These differences
        might include privilege required for a given library
        provided interface to function properly, as occurs
        from time to time in graphics libraries. There are
        also cases where it is important to limit use of
        libraries based on the provider of the library and
        the security aware application may make choices
        based on that criteria.
      
        These issues are addressed by providing an additional
        Smack label that may optionally be assigned to an object,
        the SMACK64MMAP attribute. An mmap operation is allowed
        if there is no such attribute.
      
        If there is a SMACK64MMAP attribute the mmap is permitted
        only if a subject with that label has all of the access
        permitted a subject with the current task label.
      
        Security aware applications may from time to time
        wish to reduce their "privilege" to avoid accidental use
        of privilege. One case where this arises is the
        environment in which multiple sources provide libraries
        to perform the same functions. An application may know
        that it should eschew services made available from a
        particular vendor, or of a particular version.
      
        In support of this a secondary list of Smack rules has
        been added that is local to the task. This list is
        consulted only in the case where the global list has
        approved access. It can only further restrict access.
        Unlike the global last, if no entry is found on the
        local list access is granted. An application can add
        entries to its own list by writing to /smack/load-self.
      
        The changes appear large as they involve refactoring
        the list handling to accomodate there being more
        than one rule list.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      7898e1f8
  6. 05 Jan, 2011 1 commit
  7. 07 Dec, 2010 1 commit
    • Jarkko Sakkinen's avatar
      Smack: Transmute labels on specified directories · 5c6d1125
      Jarkko Sakkinen authored
      In a situation where Smack access rules allow processes
      with multiple labels to write to a directory it is easy
      to get into a situation where the directory gets cluttered
      with files that the owner can't deal with because while
      they could be written to the directory a process at the
      label of the directory can't write them. This is generally
      the desired behavior, but when it isn't it is a real
      issue.
      
      This patch introduces a new attribute SMACK64TRANSMUTE that
      instructs Smack to create the file with the label of the directory
      under certain circumstances.
      
      A new access mode, "t" for transmute, is made available to
      Smack access rules, which are expanded from "rwxa" to "rwxat".
      If a file is created in a directory marked as transmutable
      and if access was granted to perform the operation by a rule
      that included the transmute mode, then the file gets the
      Smack label of the directory instead of the Smack label of the
      creating process.
      
      Note that this is equivalent to creating an empty file at the
      label of the directory and then having the other process write
      to it. The transmute scheme requires that both the access rule
      allows transmutation and that the directory be explicitly marked.
      Signed-off-by: default avatarJarkko Sakkinen <ext-jarkko.2.sakkinen@nokia.com>
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      5c6d1125
  8. 02 Dec, 2010 1 commit
    • Casey Schaufler's avatar
      This patch adds a new security attribute to Smack called · 676dac4b
      Casey Schaufler authored
      SMACK64EXEC. It defines label that is used while task is
      running.
      
      Exception: in smack_task_wait() child task is checked
      for write access to parent task using label inherited
      from the task that forked it.
      
      Fixed issues from previous submit:
      - SMACK64EXEC was not read when SMACK64 was not set.
      - inode security blob was not updated after setting
        SMACK64EXEC
      - inode security blob was not updated when removing
        SMACK64EXEC
      676dac4b
  9. 28 Nov, 2010 1 commit
    • Casey Schaufler's avatar
      Smack: UDS revision · b4e0d5f0
      Casey Schaufler authored
      This patch addresses a number of long standing issues
          with the way Smack treats UNIX domain sockets.
      
          All access control was being done based on the label of
          the file system object. This is inconsistant with the
          internet domain, in which access is done based on the
          IPIN and IPOUT attributes of the socket. As a result
          of the inode label policy it was not possible to use
          a UDS socket for label cognizant services, including
          dbus and the X11 server.
      
          Support for SCM_PEERSEC on UDS sockets is also provided.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      b4e0d5f0
  10. 15 Nov, 2010 1 commit
  11. 20 Oct, 2010 2 commits
  12. 02 Aug, 2010 2 commits
  13. 16 Jun, 2010 1 commit
  14. 26 Apr, 2010 1 commit
  15. 07 Apr, 2010 1 commit
  16. 30 Mar, 2010 1 commit
    • Tejun Heo's avatar
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo authored
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      
        http://userweb.kernel.org/~tj/misc/slabh-sweep.py
      
      The script does the followings.
      
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
        file.
      
      The conversion was done in the following steps.
      
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
         files.
      
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
         necessary.
      
      6. percpu.h was updated not to include slab.h.
      
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
      
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Guess-its-ok-by: default avatarChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
      5a0e3ad6
  17. 03 Mar, 2010 1 commit
    • Al Viro's avatar
      fix mnt_mountpoint abuse in smack · de27a5bf
      Al Viro authored
      (mnt,mnt_mountpoint) pair is conceptually wrong; if you want
      to use it for generating pathname and for nothing else *and*
      if you know that vfsmount tree is unchanging, you can get
      away with that, but the right solution for that is (mnt,mnt_root).
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      de27a5bf
  18. 04 Feb, 2010 1 commit
  19. 20 Nov, 2009 1 commit
  20. 23 Sep, 2009 1 commit
  21. 10 Sep, 2009 2 commits
    • David P. Quigley's avatar
      sysfs: Add labeling support for sysfs · ddd29ec6
      David P. Quigley authored
      This patch adds a setxattr handler to the file, directory, and symlink
      inode_operations structures for sysfs. The patch uses hooks introduced in the
      previous patch to handle the getting and setting of security information for
      the sysfs inodes. As was suggested by Eric Biederman the struct iattr in the
      sysfs_dirent structure has been replaced by a structure which contains the
      iattr, secdata and secdata length to allow the changes to persist in the event
      that the inode representing the sysfs_dirent is evicted. Because sysfs only
      stores this information when a change is made all the optional data is moved
      into one dynamically allocated field.
      
      This patch addresses an issue where SELinux was denying virtd access to the PCI
      configuration entries in sysfs. The lack of setxattr handlers for sysfs
      required that a single label be assigned to all entries in sysfs. Granting virtd
      access to every entry in sysfs is not an acceptable solution so fine grained
      labeling of sysfs is required such that individual entries can be labeled
      appropriately.
      
      [sds:  Fixed compile-time warnings, coding style, and setting of inode security init flags.]
      Signed-off-by: default avatarDavid P. Quigley <dpquigl@tycho.nsa.gov>
      Signed-off-by: default avatarStephen D. Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      ddd29ec6
    • David P. Quigley's avatar
      LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information. · 1ee65e37
      David P. Quigley authored
      This patch introduces three new hooks. The inode_getsecctx hook is used to get
      all relevant information from an LSM about an inode. The inode_setsecctx is
      used to set both the in-core and on-disk state for the inode based on a context
      derived from inode_getsecctx.The final hook inode_notifysecctx will notify the
      LSM of a change for the in-core state of the inode in question. These hooks are
      for use in the labeled NFS code and addresses concerns of how to set security
      on an inode in a multi-xattr LSM. For historical reasons Stephen Smalley's
      explanation of the reason for these hooks is pasted below.
      
      Quote Stephen Smalley
      
      inode_setsecctx:  Change the security context of an inode.  Updates the
      in core security context managed by the security module and invokes the
      fs code as needed (via __vfs_setxattr_noperm) to update any backing
      xattrs that represent the context.  Example usage:  NFS server invokes
      this hook to change the security context in its incore inode and on the
      backing file system to a value provided by the client on a SETATTR
      operation.
      
      inode_notifysecctx:  Notify the security module of what the security
      context of an inode should be.  Initializes the incore security context
      managed by the security module for this inode.  Example usage:  NFS
      client invokes this hook to initialize the security context in its
      incore inode to the value provided by the server for the file when the
      server returned the file's attributes to the client.
      Signed-off-by: default avatarDavid P. Quigley <dpquigl@tycho.nsa.gov>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      1ee65e37
  22. 02 Sep, 2009 1 commit
    • David Howells's avatar
      KEYS: Add a keyctl to install a process's session keyring on its parent [try #6] · ee18d64c
      David Howells authored
      Add a keyctl to install a process's session keyring onto its parent.  This
      replaces the parent's session keyring.  Because the COW credential code does
      not permit one process to change another process's credentials directly, the
      change is deferred until userspace next starts executing again.  Normally this
      will be after a wait*() syscall.
      
      To support this, three new security hooks have been provided:
      cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in
      the blank security creds and key_session_to_parent() - which asks the LSM if
      the process may replace its parent's session keyring.
      
      The replacement may only happen if the process has the same ownership details
      as its parent, and the process has LINK permission on the session keyring, and
      the session keyring is owned by the process, and the LSM permits it.
      
      Note that this requires alteration to each architecture's notify_resume path.
      This has been done for all arches barring blackfin, m68k* and xtensa, all of
      which need assembly alteration to support TIF_NOTIFY_RESUME.  This allows the
      replacement to be performed at the point the parent process resumes userspace
      execution.
      
      This allows the userspace AFS pioctl emulation to fully emulate newpag() and
      the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to
      alter the parent process's PAG membership.  However, since kAFS doesn't use
      PAGs per se, but rather dumps the keys into the session keyring, the session
      keyring of the parent must be replaced if, for example, VIOCSETTOK is passed
      the newpag flag.
      
      This can be tested with the following program:
      
      	#include <stdio.h>
      	#include <stdlib.h>
      	#include <keyutils.h>
      
      	#define KEYCTL_SESSION_TO_PARENT	18
      
      	#define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0)
      
      	int main(int argc, char **argv)
      	{
      		key_serial_t keyring, key;
      		long ret;
      
      		keyring = keyctl_join_session_keyring(argv[1]);
      		OSERROR(keyring, "keyctl_join_session_keyring");
      
      		key = add_key("user", "a", "b", 1, keyring);
      		OSERROR(key, "add_key");
      
      		ret = keyctl(KEYCTL_SESSION_TO_PARENT);
      		OSERROR(ret, "KEYCTL_SESSION_TO_PARENT");
      
      		return 0;
      	}
      
      Compiled and linked with -lkeyutils, you should see something like:
      
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: _ses
      	355907932 --alswrv   4043    -1   \_ keyring: _uid.4043
      	[dhowells@andromeda ~]$ /tmp/newpag
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: _ses
      	1055658746 --alswrv   4043  4043   \_ user: a
      	[dhowells@andromeda ~]$ /tmp/newpag hello
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: hello
      	340417692 --alswrv   4043  4043   \_ user: a
      
      Where the test program creates a new session keyring, sticks a user key named
      'a' into it and then installs it on its parent.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      ee18d64c
  23. 05 Aug, 2009 1 commit
  24. 24 Jun, 2009 1 commit
  25. 28 May, 2009 1 commit
  26. 18 Apr, 2009 1 commit
  27. 13 Apr, 2009 1 commit
  28. 28 Mar, 2009 3 commits
    • Etienne Basset's avatar
      smack: Add a new '-CIPSO' option to the network address label configuration · 4303154e
      Etienne Basset authored
      This patch adds a new special option '-CIPSO' to the Smack subsystem. When used
      in the netlabel list, it means "use CIPSO networking". A use case is when your
      local network speaks CIPSO and you want also to connect to the unlabeled
      Internet. This patch also add some documentation describing that. The patch
      also corrects an oops when setting a '' SMACK64 xattr to a file.
      Signed-off-by: default avatarEtienne Basset <etienne.basset@numericable.fr>
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      4303154e
    • Paul Moore's avatar
      netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections · 07feee8f
      Paul Moore authored
      This patch cleans up a lot of the Smack network access control code.  The
      largest changes are to fix the labeling of incoming TCP connections in a
      manner similar to the recent SELinux changes which use the
      security_inet_conn_request() hook to label the request_sock and let the label
      move to the child socket via the normal network stack mechanisms.  In addition
      to the incoming TCP connection fixes this patch also removes the smk_labled
      field from the socket_smack struct as the minor optimization advantage was
      outweighed by the difficulty in maintaining it's proper state.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      07feee8f
    • Paul Moore's avatar
      netlabel: Label incoming TCP connections correctly in SELinux · 389fb800
      Paul Moore authored
      The current NetLabel/SELinux behavior for incoming TCP connections works but
      only through a series of happy coincidences that rely on the limited nature of
      standard CIPSO (only able to convey MLS attributes) and the write equality
      imposed by the SELinux MLS constraints.  The problem is that network sockets
      created as the result of an incoming TCP connection were not on-the-wire
      labeled based on the security attributes of the parent socket but rather based
      on the wire label of the remote peer.  The issue had to do with how IP options
      were managed as part of the network stack and where the LSM hooks were in
      relation to the code which set the IP options on these newly created child
      sockets.  While NetLabel/SELinux did correctly set the socket's on-the-wire
      label it was promptly cleared by the network stack and reset based on the IP
      options of the remote peer.
      
      This patch, in conjunction with a prior patch that adjusted the LSM hook
      locations, works to set the correct on-the-wire label format for new incoming
      connections through the security_inet_conn_request() hook.  Besides the
      correct behavior there are many advantages to this change, the most significant
      is that all of the NetLabel socket labeling code in SELinux now lives in hooks
      which can return error codes to the core stack which allows us to finally get
      ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
      the NetLabel/SELinux glue code.  In the process of developing this patch I
      also ran into a small handful of AF_INET6 cleanliness issues that have been
      fixed which should make the code safer and easier to extend in the future.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      389fb800
  29. 25 Mar, 2009 1 commit
  30. 04 Mar, 2009 1 commit
    • etienne's avatar
      smack: fixes for unlabeled host support · 211a40c0
      etienne authored
      The following patch (against 2.6.29rc5) fixes a few issues in the
      smack/netlabel "unlabeled host support" functionnality that was added in
      2.6.29rc.  It should go in before -final.
      
      1) smack_host_label disregard a "0.0.0.0/0 @" rule (or other label),
      preventing 'tagged' tasks to access Internet (many systems drop packets with
      IP options)
      
      2) netmasks were not handled correctly, they were stored in a way _not
      equivalent_ to conversion to be32 (it was equivalent for /0, /8, /16, /24,
      /32 masks but not other masks)
      
      3) smack_netlbladdr prefixes (IP/mask) were not consistent (mask&IP was not
      done), so there could have been different list entries for the same IP
      prefix; if those entries had different labels, well ...
      
      4) they were not sorted
      
      1) 2) 3) are bugs, 4) is a more cosmetic issue.
      The patch :
      
      -creates a new helper smk_netlbladdr_insert to insert a smk_netlbladdr,
      -sorted by netmask length
      
      -use the new sorted nature of  smack_netlbladdrs list to simplify
       smack_host_label : the first match _will_ be the more specific
      
      -corrects endianness issues in smk_write_netlbladdr &  netlbladdr_seq_show
      
      Signed-off-by: <etienne.basset@numericable.fr>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Reviewed-by: default avatarPaul Moore <paul.moore@hp.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      211a40c0
  31. 19 Feb, 2009 1 commit
  32. 06 Jan, 2009 1 commit
  33. 05 Jan, 2009 1 commit
    • David Howells's avatar
      CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2] · 14eaddc9
      David Howells authored
      Fix a regression in cap_capable() due to:
      
      	commit 5ff7711e635b32f0a1e558227d030c7e45b4a465
      	Author: David Howells <dhowells@redhat.com>
      	Date:   Wed Dec 31 02:52:28 2008 +0000
      
      	    CRED: Differentiate objective and effective subjective credentials on a task
      
      The problem is that the above patch allows a process to have two sets of
      credentials, and for the most part uses the subjective credentials when
      accessing current's creds.
      
      There is, however, one exception: cap_capable(), and thus capable(), uses the
      real/objective credentials of the target task, whether or not it is the current
      task.
      
      Ordinarily this doesn't matter, since usually the two cred pointers in current
      point to the same set of creds.  However, sys_faccessat() makes use of this
      facility to override the credentials of the calling process to make its test,
      without affecting the creds as seen from other processes.
      
      One of the things sys_faccessat() does is to make an adjustment to the
      effective capabilities mask, which cap_capable(), as it stands, then ignores.
      
      The affected capability check is in generic_permission():
      
      	if (!(mask & MAY_EXEC) || execute_ok(inode))
      		if (capable(CAP_DAC_OVERRIDE))
      			return 0;
      
      This change splits capable() from has_capability() down into the commoncap and
      SELinux code.  The capable() security op now only deals with the current
      process, and uses the current process's subjective creds.  A new security op -
      task_capable() - is introduced that can check any task's objective creds.
      
      strictly the capable() security op is superfluous with the presence of the
      task_capable() op, however it should be faster to call the capable() op since
      two fewer arguments need be passed down through the various layers.
      
      This can be tested by compiling the following program from the XFS testsuite:
      
      /*
       *  t_access_root.c - trivial test program to show permission bug.
       *
       *  Written by Michael Kerrisk - copyright ownership not pursued.
       *  Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html
       */
      #include <limits.h>
      #include <unistd.h>
      #include <stdio.h>
      #include <stdlib.h>
      #include <fcntl.h>
      #include <sys/stat.h>
      
      #define UID 500
      #define GID 100
      #define PERM 0
      #define TESTPATH "/tmp/t_access"
      
      static void
      errExit(char *msg)
      {
          perror(msg);
          exit(EXIT_FAILURE);
      } /* errExit */
      
      static void
      accessTest(char *file, int mask, char *mstr)
      {
          printf("access(%s, %s) returns %d\n", file, mstr, access(file, mask));
      } /* accessTest */
      
      int
      main(int argc, char *argv[])
      {
          int fd, perm, uid, gid;
          char *testpath;
          char cmd[PATH_MAX + 20];
      
          testpath = (argc > 1) ? argv[1] : TESTPATH;
          perm = (argc > 2) ? strtoul(argv[2], NULL, 8) : PERM;
          uid = (argc > 3) ? atoi(argv[3]) : UID;
          gid = (argc > 4) ? atoi(argv[4]) : GID;
      
          unlink(testpath);
      
          fd = open(testpath, O_RDWR | O_CREAT, 0);
          if (fd == -1) errExit("open");
      
          if (fchown(fd, uid, gid) == -1) errExit("fchown");
          if (fchmod(fd, perm) == -1) errExit("fchmod");
          close(fd);
      
          snprintf(cmd, sizeof(cmd), "ls -l %s", testpath);
          system(cmd);
      
          if (seteuid(uid) == -1) errExit("seteuid");
      
          accessTest(testpath, 0, "0");
          accessTest(testpath, R_OK, "R_OK");
          accessTest(testpath, W_OK, "W_OK");
          accessTest(testpath, X_OK, "X_OK");
          accessTest(testpath, R_OK | W_OK, "R_OK | W_OK");
          accessTest(testpath, R_OK | X_OK, "R_OK | X_OK");
          accessTest(testpath, W_OK | X_OK, "W_OK | X_OK");
          accessTest(testpath, R_OK | W_OK | X_OK, "R_OK | W_OK | X_OK");
      
          exit(EXIT_SUCCESS);
      } /* main */
      
      This can be run against an Ext3 filesystem as well as against an XFS
      filesystem.  If successful, it will show:
      
      	[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043
      	---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx
      	access(/tmp/xxx, 0) returns 0
      	access(/tmp/xxx, R_OK) returns 0
      	access(/tmp/xxx, W_OK) returns 0
      	access(/tmp/xxx, X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK) returns 0
      	access(/tmp/xxx, R_OK | X_OK) returns -1
      	access(/tmp/xxx, W_OK | X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1
      
      If unsuccessful, it will show:
      
      	[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043
      	---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx
      	access(/tmp/xxx, 0) returns 0
      	access(/tmp/xxx, R_OK) returns -1
      	access(/tmp/xxx, W_OK) returns -1
      	access(/tmp/xxx, X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK) returns -1
      	access(/tmp/xxx, R_OK | X_OK) returns -1
      	access(/tmp/xxx, W_OK | X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1
      
      I've also tested the fix with the SELinux and syscalls LTP testsuites.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      14eaddc9