Re: SELinux detects problem with proprietary binary fglrx driver; however, AMD/ATI will not help

[Eric Paris <eparis redhat com>]

On Thu, 2008-09-25 at 14:15 +1000, James Morris wrote:
> On Wed, 24 Sep 2008, Francis K Shim wrote:
> 
> > 
> > I could disable SELinux and I would not have this problem; however, I
> > was hoping that there was a much secure or safer work-around to this
> > problem.
> 
> The video driver is inherently dangerous, so the safe approach is not to 
> use it.

James isn't exactly being helpful, but the reason is because as you
guessed the problem lies squarely and obviously with AMD/ATI and there
isn't much we can do to help with closed source proprietary software.
AMD/ATI is obviously doing it wrong and when it comes to security doing
it wrong is never a good idea.  Sadly we don't have their source so I
can't show you the line of code (or do anything to fix it), but your
backtrace should make it pretty obvious if anyone inside ATI decides to
care.

Stephen James, what do the two of you think about something like this?
Maybe a WARN_ONCE() ?

 security/selinux/hooks.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 03fc6a8..14f1242 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1385,7 +1385,8 @@ static int task_has_capability(struct task_struct *tsk,
 	default:
 		printk(KERN_ERR
 		       "SELinux:  out of range capability %d\n", cap);
-		BUG();
+		WARN();
+		return -EPERM;
 	}
 	return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
 }