| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-24-stephen.smalley.work@gmail.com>
Date: Tue, 10 Jun 2025 13:21:54 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: selinux@...r.kernel.org
Cc: paul@...l-moore.com,
omosnace@...hat.com,
netdev@...r.kernel.org,
Stephen Smalley <stephen.smalley.work@...il.com>
Subject: [PATCH v4 23/42] selinux: introduce cred_has_extended_perms()
Introduce cred_has_extended_perms() to check extended permissions
against the current SELinux namespace and all ancestor namespaces.
Update the caller of avc_has_extended_perms() to use this function
instead.
Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com>
---
security/selinux/avc.c | 26 ++++++++++++++++++++++++++
security/selinux/hooks.c | 7 +++----
security/selinux/include/avc.h | 4 ++++
3 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 577743a01c5a..cf0161404bf5 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -1291,6 +1291,32 @@ int cred_task_has_perm(const struct cred *cred, const struct task_struct *p,
return 0;
}
+int cred_has_extended_perms(const struct cred *cred, u32 tsid, u16 tclass,
+ u32 requested, u8 driver, u8 base_perm, u8 xperm,
+ struct common_audit_data *ad)
+{
+ struct task_security_struct *tsec;
+ struct selinux_state *state;
+ u32 ssid;
+ int rc;
+
+ do {
+ tsec = selinux_cred(cred);
+ ssid = tsec->sid;
+ state = tsec->state;
+
+ rc = avc_has_extended_perms(state, ssid, tsid, tclass,
+ requested, driver, base_perm,
+ xperm, ad);
+ if (rc)
+ return rc;
+
+ cred = tsec->parent_cred;
+ } while (cred);
+
+ return 0;
+}
+
u32 avc_policy_seqno(struct selinux_state *state)
{
return state->avc->avc_cache.latest_notif;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 93df1d969547..2112da2f5d4d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3889,10 +3889,9 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
return 0;
isec = inode_security(inode);
- rc = avc_has_extended_perms(cred_selinux_state(cred),
- ssid, isec->sid, isec->sclass,
- requested, driver, AVC_EXT_IOCTL, xperm,
- &ad);
+ rc = cred_has_extended_perms(cred, isec->sid, isec->sclass,
+ requested, driver, AVC_EXT_IOCTL,
+ xperm, &ad);
out:
return rc;
}
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index ce2d1b71e0a2..d00c9ecf5d91 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -150,6 +150,10 @@ int cred_task_has_perm(const struct cred *cred, const struct task_struct *p,
u16 tclass, u32 requested,
struct common_audit_data *auditdata);
+int cred_has_extended_perms(const struct cred *cred, u32 tsid, u16 tclass,
+ u32 requested, u8 driver, u8 base_perm, u8 xperm,
+ struct common_audit_data *ad);
+
u32 avc_policy_seqno(struct selinux_state *state);
#define AVC_CALLBACK_GRANT 1
--
2.49.0
Powered by blists - more mailing lists