| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhRiZS2Dh+0-GqHE+um7T05p4_=EXG7tOtC5pciWMteDDw@mail.gmail.com>
Date: Fri, 7 Mar 2025 16:47:28 -0500
From: Paul Moore <paul@...l-moore.com>
To: Li Li <dualli@...omium.org>
Cc: dualli@...gle.com, corbet@....net, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
donald.hunter@...il.com, gregkh@...uxfoundation.org, arve@...roid.com,
tkjos@...roid.com, maco@...roid.com, joel@...lfernandes.org,
brauner@...nel.org, cmllamas@...gle.com, surenb@...gle.com,
omosnace@...hat.com, shuah@...nel.org, arnd@...db.de, masahiroy@...nel.org,
bagasdotme@...il.com, horms@...nel.org, tweek@...gle.com,
linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org,
netdev@...r.kernel.org, selinux@...r.kernel.org, hridya@...gle.com,
smoreland@...gle.com, ynaffit@...gle.com, kernel-team@...roid.com
Subject: Re: [PATCH v16 1/3] lsm, selinux: Add setup_report permission to binder
On Mon, Mar 3, 2025 at 3:02 PM Li Li <dualli@...omium.org> wrote:
>
> From: Thiébaud Weksteen <tweek@...gle.com>
>
> Introduce a new permission "setup_report" to the "binder" class.
> This persmission controls the ability to set up the binder generic
> netlink driver to report certain binder transactions.
>
> Signed-off-by: Thiébaud Weksteen <tweek@...gle.com>
> Signed-off-by: Li Li <dualli@...gle.com>
> ---
> include/linux/lsm_hook_defs.h | 1 +
> include/linux/security.h | 6 ++++++
> security/security.c | 13 +++++++++++++
> security/selinux/hooks.c | 7 +++++++
> security/selinux/include/classmap.h | 3 ++-
> 5 files changed, 29 insertions(+), 1 deletion(-)
...
> diff --git a/security/security.c b/security/security.c
> index 8aa839232c73..382e3bbab215 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1043,6 +1043,19 @@ int security_binder_transfer_file(const struct cred *from,
> return call_int_hook(binder_transfer_file, from, to, file);
> }
>
> +/**
> + * security_binder_setup_report() - Check if process allowed to set up binder reports.
Please keep the line length in the LSM and SELinux code to 80
characters or less.
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 0d958f38ff9f..2fafa8feafdf 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2092,6 +2092,12 @@ static int selinux_binder_transfer_file(const struct cred *from,
> &ad);
> }
>
> +static int selinux_binder_setup_report(const struct cred *to)
> +{
> + return avc_has_perm(current_sid(), cred_sid(to), SECCLASS_BINDER,
> + BINDER__SETUP_REPORT, NULL);
> +}
There should also be an associated patch{set} against the
selinux-testsuite to add tests for the binder/setup_report permission
introduced here. My apologies if you've already posted one, but I'm
looking now and I don't see anything either on the lists or on GH.
* https://github.com/SELinuxProject/selinux-testsuite
--
paul-moore.com
Powered by blists - more mailing lists