lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-24-stephen.smalley.work@gmail.com> Date: Tue, 10 Jun 2025 13:21:54 -0400 From: Stephen Smalley <stephen.smalley.work@...il.com> To: selinux@...r.kernel.org Cc: paul@...l-moore.com, omosnace@...hat.com, netdev@...r.kernel.org, Stephen Smalley <stephen.smalley.work@...il.com> Subject: [PATCH v4 23/42] selinux: introduce cred_has_extended_perms() Introduce cred_has_extended_perms() to check extended permissions against the current SELinux namespace and all ancestor namespaces. Update the caller of avc_has_extended_perms() to use this function instead. Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com> --- security/selinux/avc.c | 26 ++++++++++++++++++++++++++ security/selinux/hooks.c | 7 +++---- security/selinux/include/avc.h | 4 ++++ 3 files changed, 33 insertions(+), 4 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 577743a01c5a..cf0161404bf5 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -1291,6 +1291,32 @@ int cred_task_has_perm(const struct cred *cred, const struct task_struct *p, return 0; } +int cred_has_extended_perms(const struct cred *cred, u32 tsid, u16 tclass, + u32 requested, u8 driver, u8 base_perm, u8 xperm, + struct common_audit_data *ad) +{ + struct task_security_struct *tsec; + struct selinux_state *state; + u32 ssid; + int rc; + + do { + tsec = selinux_cred(cred); + ssid = tsec->sid; + state = tsec->state; + + rc = avc_has_extended_perms(state, ssid, tsid, tclass, + requested, driver, base_perm, + xperm, ad); + if (rc) + return rc; + + cred = tsec->parent_cred; + } while (cred); + + return 0; +} + u32 avc_policy_seqno(struct selinux_state *state) { return state->avc->avc_cache.latest_notif; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 93df1d969547..2112da2f5d4d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3889,10 +3889,9 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file, return 0; isec = inode_security(inode); - rc = avc_has_extended_perms(cred_selinux_state(cred), - ssid, isec->sid, isec->sclass, - requested, driver, AVC_EXT_IOCTL, xperm, - &ad); + rc = cred_has_extended_perms(cred, isec->sid, isec->sclass, + requested, driver, AVC_EXT_IOCTL, + xperm, &ad); out: return rc; } diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index ce2d1b71e0a2..d00c9ecf5d91 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -150,6 +150,10 @@ int cred_task_has_perm(const struct cred *cred, const struct task_struct *p, u16 tclass, u32 requested, struct common_audit_data *auditdata); +int cred_has_extended_perms(const struct cred *cred, u32 tsid, u16 tclass, + u32 requested, u8 driver, u8 base_perm, u8 xperm, + struct common_audit_data *ad); + u32 avc_policy_seqno(struct selinux_state *state); #define AVC_CALLBACK_GRANT 1 -- 2.49.0
Powered by blists - more mailing lists