| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANBPYPhkYPYGSxhBWbJ2pMqf_iYqNE6H9=ND9ONuTxoPviW=3g@mail.gmail.com>
Date: Tue, 11 Mar 2025 09:37:59 -0700
From: Li Li <dualli@...omium.org>
To: Paul Moore <paul@...l-moore.com>
Cc: dualli@...gle.com, corbet@....net, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
donald.hunter@...il.com, gregkh@...uxfoundation.org, arve@...roid.com,
tkjos@...roid.com, maco@...roid.com, joel@...lfernandes.org,
brauner@...nel.org, cmllamas@...gle.com, surenb@...gle.com,
omosnace@...hat.com, shuah@...nel.org, arnd@...db.de, masahiroy@...nel.org,
bagasdotme@...il.com, horms@...nel.org, tweek@...gle.com,
linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org,
netdev@...r.kernel.org, selinux@...r.kernel.org, hridya@...gle.com,
smoreland@...gle.com, ynaffit@...gle.com, kernel-team@...roid.com
Subject: Re: [PATCH v16 1/3] lsm, selinux: Add setup_report permission to binder
On Fri, Mar 7, 2025 at 1:47 PM Paul Moore <paul@...l-moore.com> wrote:
>
> On Mon, Mar 3, 2025 at 3:02 PM Li Li <dualli@...omium.org> wrote:
> >
> > From: Thiébaud Weksteen <tweek@...gle.com>
> >
> > Introduce a new permission "setup_report" to the "binder" class.
> > This persmission controls the ability to set up the binder generic
> > netlink driver to report certain binder transactions.
> >
> > Signed-off-by: Thiébaud Weksteen <tweek@...gle.com>
> > Signed-off-by: Li Li <dualli@...gle.com>
> > ---
> > include/linux/lsm_hook_defs.h | 1 +
> > include/linux/security.h | 6 ++++++
> > security/security.c | 13 +++++++++++++
> > security/selinux/hooks.c | 7 +++++++
> > security/selinux/include/classmap.h | 3 ++-
> > 5 files changed, 29 insertions(+), 1 deletion(-)
>
> ...
>
> > diff --git a/security/security.c b/security/security.c
> > index 8aa839232c73..382e3bbab215 100644
> > --- a/security/security.c
> > +++ b/security/security.c
> > @@ -1043,6 +1043,19 @@ int security_binder_transfer_file(const struct cred *from,
> > return call_int_hook(binder_transfer_file, from, to, file);
> > }
> >
> > +/**
> > + * security_binder_setup_report() - Check if process allowed to set up binder reports.
>
> Please keep the line length in the LSM and SELinux code to 80
> characters or less.
>
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index 0d958f38ff9f..2fafa8feafdf 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -2092,6 +2092,12 @@ static int selinux_binder_transfer_file(const struct cred *from,
> > &ad);
> > }
> >
> > +static int selinux_binder_setup_report(const struct cred *to)
> > +{
> > + return avc_has_perm(current_sid(), cred_sid(to), SECCLASS_BINDER,
> > + BINDER__SETUP_REPORT, NULL);
> > +}
>
> There should also be an associated patch{set} against the
> selinux-testsuite to add tests for the binder/setup_report permission
> introduced here. My apologies if you've already posted one, but I'm
> looking now and I don't see anything either on the lists or on GH.
>
> * https://github.com/SELinuxProject/selinux-testsuite
>
> --
> paul-moore.com
Thank you very much! I'll add such a test, along with other binder
fixes mentioned by Carlos.
Powered by blists - more mailing lists