| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-32-stephen.smalley.work@gmail.com>
Date: Tue, 10 Jun 2025 13:22:02 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: selinux@...r.kernel.org
Cc: paul@...l-moore.com,
omosnace@...hat.com,
netdev@...r.kernel.org,
Stephen Smalley <stephen.smalley.work@...il.com>
Subject: [PATCH v4 31/42] selinux: rename cred_has_perm*() to cred_tsid_has_perm*()
Rename cred_has_perm*() to cred_tsid_has_perm*() for greater
clarity and parallelism with the other helper functions.
These functions check permissions between a cred and a fixed
target SID for the current namespace and its ancestors.
Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com>
---
security/selinux/avc.c | 12 +-
security/selinux/hooks.c | 239 +++++++++++++++++----------------
security/selinux/include/avc.h | 8 +-
3 files changed, 130 insertions(+), 129 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index fc40e840a143..efafe8a06908 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -1497,7 +1497,7 @@ int cred_self_has_perm_noaudit(const struct cred *cred, u16 tclass,
/**
- * cred_has_perm - Check and audit permissions on a (cred, tsid) pair
+ * cred_tsid_has_perm - Check and audit permissions on a (cred, tsid) pair
* @cred: subject credentials
* @tsid: target security identifier
* @tclass: target security class
@@ -1514,8 +1514,8 @@ int cred_self_has_perm_noaudit(const struct cred *cred, u16 tclass,
* DO NOT USE when checking permissions between two creds (or tasks);
* use cred_other_has_perm() or cred_task_has_perm() instead.
*/
-int cred_has_perm(const struct cred *cred, u32 tsid, u16 tclass,
- u32 requested, struct common_audit_data *ad)
+int cred_tsid_has_perm(const struct cred *cred, u32 tsid, u16 tclass,
+ u32 requested, struct common_audit_data *ad)
{
struct task_security_struct *tsec;
struct selinux_state *state;
@@ -1537,7 +1537,7 @@ int cred_has_perm(const struct cred *cred, u32 tsid, u16 tclass,
}
/**
- * cred_has_perm_noaudit - Check permissions on a (cred, tsid) pair, no audit
+ * cred_tsid_has_perm_noaudit - Check permissions on a (cred, tsid) pair, no audit
* @cred: subject credentials
* @tsid: target security identifier
* @tclass: target security class
@@ -1552,8 +1552,8 @@ int cred_has_perm(const struct cred *cred, u32 tsid, u16 tclass,
* DO NOT USE when checking permissions between two creds (or tasks);
* use cred_other_has_perm() or cred_task_has_perm() instead.
*/
-int cred_has_perm_noaudit(const struct cred *cred, u32 tsid, u16 tclass,
- u32 requested, struct av_decision *avd)
+int cred_tsid_has_perm_noaudit(const struct cred *cred, u32 tsid, u16 tclass,
+ u32 requested, struct av_decision *avd)
{
struct task_security_struct *tsec;
struct selinux_state *state;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 25f7b9dd77d4..c04eda2f18fc 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -448,13 +448,13 @@ static int may_context_mount_sb_relabel(u32 sid,
{
int rc;
- rc = cred_has_perm(cred, sbsec->sid, SECCLASS_FILESYSTEM,
- FILESYSTEM__RELABELFROM, NULL);
+ rc = cred_tsid_has_perm(cred, sbsec->sid, SECCLASS_FILESYSTEM,
+ FILESYSTEM__RELABELFROM, NULL);
if (rc)
return rc;
- rc = cred_has_perm(cred, sid, SECCLASS_FILESYSTEM,
- FILESYSTEM__RELABELTO, NULL);
+ rc = cred_tsid_has_perm(cred, sid, SECCLASS_FILESYSTEM,
+ FILESYSTEM__RELABELTO, NULL);
return rc;
}
@@ -464,8 +464,8 @@ static int may_context_mount_inode_relabel(u32 sid,
{
int rc;
- rc = cred_has_perm(cred, sbsec->sid, SECCLASS_FILESYSTEM,
- FILESYSTEM__RELABELFROM, NULL);
+ rc = cred_tsid_has_perm(cred, sbsec->sid, SECCLASS_FILESYSTEM,
+ FILESYSTEM__RELABELFROM, NULL);
if (rc)
return rc;
@@ -1695,7 +1695,7 @@ static int inode_has_perm(const struct cred *cred,
isec = selinux_inode(inode);
- return cred_has_perm(cred, isec->sid, isec->sclass, perms, adp);
+ return cred_tsid_has_perm(cred, isec->sid, isec->sclass, perms, adp);
}
/* Same as inode_has_perm, but pass explicit audit data containing
@@ -1774,8 +1774,8 @@ static int file_has_perm(const struct cred *cred,
ad.u.file = file;
if (sid != fsec->sid) {
- rc = cred_has_perm(cred, fsec->sid, SECCLASS_FD, FD__USE,
- &ad);
+ rc = cred_tsid_has_perm(cred, fsec->sid, SECCLASS_FD, FD__USE,
+ &ad);
if (rc)
goto out;
}
@@ -1842,9 +1842,9 @@ static int may_create(struct inode *dir,
ad.type = LSM_AUDIT_DATA_DENTRY;
ad.u.dentry = dentry;
- rc = cred_has_perm(cred, dsec->sid, SECCLASS_DIR,
- DIR__ADD_NAME | DIR__SEARCH,
- &ad);
+ rc = cred_tsid_has_perm(cred, dsec->sid, SECCLASS_DIR,
+ DIR__ADD_NAME | DIR__SEARCH,
+ &ad);
if (rc)
return rc;
@@ -1853,7 +1853,7 @@ static int may_create(struct inode *dir,
if (rc)
return rc;
- rc = cred_has_perm(cred, newsid, tclass, FILE__CREATE, &ad);
+ rc = cred_tsid_has_perm(cred, newsid, tclass, FILE__CREATE, &ad);
if (rc)
return rc;
@@ -1886,7 +1886,7 @@ static int may_link(struct inode *dir,
av = DIR__SEARCH;
av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
- rc = cred_has_perm(cred, dsec->sid, SECCLASS_DIR, av, &ad);
+ rc = cred_tsid_has_perm(cred, dsec->sid, SECCLASS_DIR, av, &ad);
if (rc)
return rc;
@@ -1906,7 +1906,7 @@ static int may_link(struct inode *dir,
return 0;
}
- return cred_has_perm(cred, isec->sid, isec->sclass, av, &ad);
+ return cred_tsid_has_perm(cred, isec->sid, isec->sclass, av, &ad);
}
static inline int may_rename(struct inode *old_dir,
@@ -1929,17 +1929,17 @@ static inline int may_rename(struct inode *old_dir,
ad.type = LSM_AUDIT_DATA_DENTRY;
ad.u.dentry = old_dentry;
- rc = cred_has_perm(cred, old_dsec->sid, SECCLASS_DIR,
- DIR__REMOVE_NAME | DIR__SEARCH, &ad);
+ rc = cred_tsid_has_perm(cred, old_dsec->sid, SECCLASS_DIR,
+ DIR__REMOVE_NAME | DIR__SEARCH, &ad);
if (rc)
return rc;
- rc = cred_has_perm(cred, old_isec->sid, old_isec->sclass,
- FILE__RENAME, &ad);
+ rc = cred_tsid_has_perm(cred, old_isec->sid, old_isec->sclass,
+ FILE__RENAME, &ad);
if (rc)
return rc;
if (old_is_dir && new_dir != old_dir) {
- rc = cred_has_perm(cred, old_isec->sid, old_isec->sclass,
- DIR__REPARENT, &ad);
+ rc = cred_tsid_has_perm(cred, old_isec->sid, old_isec->sclass,
+ DIR__REPARENT, &ad);
if (rc)
return rc;
}
@@ -1948,15 +1948,15 @@ static inline int may_rename(struct inode *old_dir,
av = DIR__ADD_NAME | DIR__SEARCH;
if (d_is_positive(new_dentry))
av |= DIR__REMOVE_NAME;
- rc = cred_has_perm(cred, new_dsec->sid, SECCLASS_DIR, av, &ad);
+ rc = cred_tsid_has_perm(cred, new_dsec->sid, SECCLASS_DIR, av, &ad);
if (rc)
return rc;
if (d_is_positive(new_dentry)) {
new_isec = backing_inode_security(new_dentry);
new_is_dir = d_is_dir(new_dentry);
- rc = cred_has_perm(cred, new_isec->sid, new_isec->sclass,
- (new_is_dir ? DIR__RMDIR : FILE__UNLINK),
- &ad);
+ rc = cred_tsid_has_perm(cred, new_isec->sid, new_isec->sclass,
+ (new_is_dir ? DIR__RMDIR : FILE__UNLINK),
+ &ad);
if (rc)
return rc;
}
@@ -1973,8 +1973,8 @@ static int superblock_has_perm(const struct cred *cred,
struct superblock_security_struct *sbsec;
sbsec = selinux_superblock(sb);
- return cred_has_perm(cred, sbsec->sid, SECCLASS_FILESYSTEM, perms,
- ad);
+ return cred_tsid_has_perm(cred, sbsec->sid, SECCLASS_FILESYSTEM, perms,
+ ad);
}
/* Convert a Linux mode and permission mask to an access vector. */
@@ -2093,8 +2093,8 @@ static int selinux_binder_transfer_file(const struct cred *from,
ad.u.path = file->f_path;
if (sid != fsec->sid) {
- rc = cred_has_perm(to, fsec->sid, SECCLASS_FD, FD__USE,
- &ad);
+ rc = cred_tsid_has_perm(to, fsec->sid, SECCLASS_FD, FD__USE,
+ &ad);
if (rc)
return rc;
}
@@ -2109,8 +2109,8 @@ static int selinux_binder_transfer_file(const struct cred *from,
return 0;
isec = backing_inode_security(dentry);
- return cred_has_perm(to, isec->sid, isec->sclass, file_to_av(file),
- &ad);
+ return cred_tsid_has_perm(to, isec->sid, isec->sclass, file_to_av(file),
+ &ad);
}
static int selinux_ptrace_access_check(struct task_struct *child,
@@ -2211,20 +2211,20 @@ static int selinux_syslog(int type)
switch (type) {
case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
- return cred_has_perm(cred, SECINITSID_KERNEL,
- SECCLASS_SYSTEM,
- SYSTEM__SYSLOG_READ, NULL);
+ return cred_tsid_has_perm(cred, SECINITSID_KERNEL,
+ SECCLASS_SYSTEM,
+ SYSTEM__SYSLOG_READ, NULL);
case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
/* Set level of messages printed to console */
case SYSLOG_ACTION_CONSOLE_LEVEL:
- return cred_has_perm(cred, SECINITSID_KERNEL,
- SECCLASS_SYSTEM,
- SYSTEM__SYSLOG_CONSOLE, NULL);
+ return cred_tsid_has_perm(cred, SECINITSID_KERNEL,
+ SECCLASS_SYSTEM,
+ SYSTEM__SYSLOG_CONSOLE, NULL);
}
/* All other syslog types */
- return cred_has_perm(cred, SECINITSID_KERNEL, SECCLASS_SYSTEM,
- SYSTEM__SYSLOG_MOD, NULL);
+ return cred_tsid_has_perm(cred, SECINITSID_KERNEL, SECCLASS_SYSTEM,
+ SYSTEM__SYSLOG_MOD, NULL);
}
/*
@@ -2458,8 +2458,8 @@ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
*/
cred = old_tsec->parent_cred;
if (cred) {
- rc = cred_has_perm(cred, isec->sid,
- SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
+ rc = cred_tsid_has_perm(cred, isec->sid,
+ SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
if (rc)
return rc;
}
@@ -3070,8 +3070,8 @@ static int selinux_inode_init_security_anon(struct inode *inode,
ad.type = LSM_AUDIT_DATA_ANONINODE;
ad.u.anonclass = name ? (const char *)name->name : "?";
- return cred_has_perm(current_cred(), isec->sid, isec->sclass,
- FILE__CREATE, &ad);
+ return cred_tsid_has_perm(current_cred(), isec->sid, isec->sclass,
+ FILE__CREATE, &ad);
}
static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
@@ -3134,8 +3134,8 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
if (IS_ERR(isec))
return PTR_ERR(isec);
- return cred_has_perm(current_cred(), isec->sid, isec->sclass,
- FILE__READ, &ad);
+ return cred_tsid_has_perm(current_cred(), isec->sid, isec->sclass,
+ FILE__READ, &ad);
}
static noinline int audit_inode_permission(struct inode *inode,
@@ -3279,8 +3279,8 @@ static int selinux_inode_permission(struct inode *inode, int requested)
struct av_decision avd;
/* Cache miss. */
- rc = cred_has_perm_noaudit(current_cred(), isec->sid,
- isec->sclass, perms, &avd);
+ rc = cred_tsid_has_perm_noaudit(current_cred(), isec->sid,
+ isec->sclass, perms, &avd);
audited = avc_audit_required(perms, &avd, rc,
(requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0,
&denied);
@@ -3390,8 +3390,8 @@ static int selinux_inode_setxattr(struct mnt_idmap *idmap,
ad.u.dentry = dentry;
isec = backing_inode_security(dentry);
- rc = cred_has_perm(cred, isec->sid, isec->sclass, FILE__RELABELFROM,
- &ad);
+ rc = cred_tsid_has_perm(cred, isec->sid, isec->sclass, FILE__RELABELFROM,
+ &ad);
if (rc)
return rc;
@@ -3430,8 +3430,8 @@ static int selinux_inode_setxattr(struct mnt_idmap *idmap,
if (rc)
return rc;
- rc = cred_has_perm(cred, newsid, isec->sclass, FILE__RELABELTO,
- &ad);
+ rc = cred_tsid_has_perm(cred, newsid, isec->sclass, FILE__RELABELTO,
+ &ad);
if (rc)
return rc;
@@ -3860,8 +3860,8 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
ad.u.op->path = file->f_path;
if (ssid != fsec->sid) {
- rc = cred_has_perm(cred, fsec->sid, SECCLASS_FD, FD__USE,
- &ad);
+ rc = cred_tsid_has_perm(cred, fsec->sid, SECCLASS_FD, FD__USE,
+ &ad);
if (rc)
goto out;
}
@@ -4246,8 +4246,8 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
struct task_security_struct *tsec = selinux_cred(new);
int ret;
- ret = cred_has_perm(current_cred(), secid, SECCLASS_KERNEL_SERVICE,
- KERNEL_SERVICE__USE_AS_OVERRIDE, NULL);
+ ret = cred_tsid_has_perm(current_cred(), secid, SECCLASS_KERNEL_SERVICE,
+ KERNEL_SERVICE__USE_AS_OVERRIDE, NULL);
if (ret == 0) {
tsec->sid = secid;
tsec->create_sid = 0;
@@ -4267,10 +4267,10 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
struct task_security_struct *tsec = selinux_cred(new);
int ret;
- ret = cred_has_perm(current_cred(), isec->sid,
- SECCLASS_KERNEL_SERVICE,
- KERNEL_SERVICE__CREATE_FILES_AS,
- NULL);
+ ret = cred_tsid_has_perm(current_cred(), isec->sid,
+ SECCLASS_KERNEL_SERVICE,
+ KERNEL_SERVICE__CREATE_FILES_AS,
+ NULL);
if (ret == 0)
tsec->create_sid = isec->sid;
@@ -4284,8 +4284,8 @@ static int selinux_kernel_module_request(char *kmod_name)
ad.type = LSM_AUDIT_DATA_KMOD;
ad.u.kmod_name = kmod_name;
- return cred_has_perm(current_cred(), SECINITSID_KERNEL,
- SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, &ad);
+ return cred_tsid_has_perm(current_cred(), SECINITSID_KERNEL,
+ SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, &ad);
}
static int selinux_kernel_load_from_file(struct file *file, u32 requested)
@@ -4307,14 +4307,15 @@ static int selinux_kernel_load_from_file(struct file *file, u32 requested)
fsec = selinux_file(file);
if (sid != fsec->sid) {
- rc = cred_has_perm(cred, fsec->sid, SECCLASS_FD, FD__USE,
- &ad);
+ rc = cred_tsid_has_perm(cred, fsec->sid, SECCLASS_FD, FD__USE,
+ &ad);
if (rc)
return rc;
}
isec = inode_security(file_inode(file));
- return cred_has_perm(cred, isec->sid, SECCLASS_SYSTEM, requested, &ad);
+ return cred_tsid_has_perm(cred, isec->sid, SECCLASS_SYSTEM, requested,
+ &ad);
}
static int selinux_kernel_read_file(struct file *file,
@@ -4837,8 +4838,8 @@ static int sock_has_perm(struct sock *sk, u32 perms)
ad_net_init_from_sk(&ad, &net, sk);
- return cred_has_perm(current_cred(), sksec->sid, sksec->sclass,
- perms, &ad);
+ return cred_tsid_has_perm(current_cred(), sksec->sid, sksec->sclass,
+ perms, &ad);
}
static int selinux_socket_create(int family, int type,
@@ -4857,8 +4858,8 @@ static int selinux_socket_create(int family, int type,
if (rc)
return rc;
- return cred_has_perm(current_cred(), newsid, secclass,
- SOCKET__CREATE, NULL);
+ return cred_tsid_has_perm(current_cred(), newsid, secclass,
+ SOCKET__CREATE, NULL);
}
static int selinux_socket_post_create(struct socket *sock, int family,
@@ -5808,8 +5809,8 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
static int selinux_secmark_relabel_packet(u32 sid)
{
- return cred_has_perm(current_cred(), sid, SECCLASS_PACKET,
- PACKET__RELABELTO, NULL);
+ return cred_tsid_has_perm(current_cred(), sid, SECCLASS_PACKET,
+ PACKET__RELABELTO, NULL);
}
static void selinux_secmark_refcount_inc(void)
@@ -5853,9 +5854,9 @@ static int selinux_tun_dev_attach_queue(void *security)
{
struct tun_security_struct *tunsec = selinux_tun_dev(security);
- return cred_has_perm(current_cred(), tunsec->sid,
- SECCLASS_TUN_SOCKET, TUN_SOCKET__ATTACH_QUEUE,
- NULL);
+ return cred_tsid_has_perm(current_cred(), tunsec->sid,
+ SECCLASS_TUN_SOCKET, TUN_SOCKET__ATTACH_QUEUE,
+ NULL);
}
static int selinux_tun_dev_attach(struct sock *sk, void *security)
@@ -5882,8 +5883,8 @@ static int selinux_tun_dev_open(void *security)
struct tun_security_struct *tunsec = selinux_tun_dev(security);
int err;
- err = cred_has_perm(cred, tunsec->sid, SECCLASS_TUN_SOCKET,
- TUN_SOCKET__RELABELFROM, NULL);
+ err = cred_tsid_has_perm(cred, tunsec->sid, SECCLASS_TUN_SOCKET,
+ TUN_SOCKET__RELABELFROM, NULL);
if (err)
return err;
err = cred_self_has_perm(cred, SECCLASS_TUN_SOCKET,
@@ -6273,8 +6274,8 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = ipc_perms->key;
- return cred_has_perm(current_cred(), isec->sid, isec->sclass, perms,
- &ad);
+ return cred_tsid_has_perm(current_cred(), isec->sid, isec->sclass, perms,
+ &ad);
}
static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
@@ -6299,8 +6300,8 @@ static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->key;
- return cred_has_perm(current_cred(), isec->sid, SECCLASS_MSGQ,
- MSGQ__CREATE, &ad);
+ return cred_tsid_has_perm(current_cred(), isec->sid, SECCLASS_MSGQ,
+ MSGQ__CREATE, &ad);
}
static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
@@ -6313,8 +6314,8 @@ static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->key;
- return cred_has_perm(current_cred(), isec->sid, SECCLASS_MSGQ,
- MSGQ__ASSOCIATE, &ad);
+ return cred_tsid_has_perm(current_cred(), isec->sid, SECCLASS_MSGQ,
+ MSGQ__ASSOCIATE, &ad);
}
static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
@@ -6325,8 +6326,8 @@ static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
case IPC_INFO:
case MSG_INFO:
/* No specific object, just general system-wide information. */
- return cred_has_perm(current_cred(), SECINITSID_KERNEL,
- SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
+ return cred_tsid_has_perm(current_cred(), SECINITSID_KERNEL,
+ SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
case IPC_STAT:
case MSG_STAT:
case MSG_STAT_ANY:
@@ -6375,11 +6376,11 @@ static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *m
ad.u.ipc_id = msq->key;
/* Can this process write to the queue? */
- rc = cred_has_perm(cred, isec->sid, SECCLASS_MSGQ, MSGQ__WRITE, &ad);
+ rc = cred_tsid_has_perm(cred, isec->sid, SECCLASS_MSGQ, MSGQ__WRITE, &ad);
if (!rc)
/* Can this process send the message */
- rc = cred_has_perm(cred, msec->sid, SECCLASS_MSG, MSG__SEND,
- &ad);
+ rc = cred_tsid_has_perm(cred, msec->sid, SECCLASS_MSG, MSG__SEND,
+ &ad);
if (!rc)
/* Can the message be put in the queue? */
rc = cred_ssid_has_perm(cred, msec->sid, isec->sid,
@@ -6426,8 +6427,8 @@ static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->key;
- return cred_has_perm(current_cred(), isec->sid, SECCLASS_SHM,
- SHM__CREATE, &ad);
+ return cred_tsid_has_perm(current_cred(), isec->sid, SECCLASS_SHM,
+ SHM__CREATE, &ad);
}
static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
@@ -6440,8 +6441,8 @@ static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->key;
- return cred_has_perm(current_cred(), isec->sid, SECCLASS_SHM,
- SHM__ASSOCIATE, &ad);
+ return cred_tsid_has_perm(current_cred(), isec->sid, SECCLASS_SHM,
+ SHM__ASSOCIATE, &ad);
}
/* Note, at this point, shp is locked down */
@@ -6453,9 +6454,9 @@ static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
case IPC_INFO:
case SHM_INFO:
/* No specific object, just general system-wide information. */
- return cred_has_perm(current_cred(), SECINITSID_KERNEL,
- SECCLASS_SYSTEM, SYSTEM__IPC_INFO,
- NULL);
+ return cred_tsid_has_perm(current_cred(), SECINITSID_KERNEL,
+ SECCLASS_SYSTEM, SYSTEM__IPC_INFO,
+ NULL);
case IPC_STAT:
case SHM_STAT:
case SHM_STAT_ANY:
@@ -6503,8 +6504,8 @@ static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->key;
- return cred_has_perm(current_cred(), isec->sid, SECCLASS_SEM,
- SEM__CREATE, &ad);
+ return cred_tsid_has_perm(current_cred(), isec->sid, SECCLASS_SEM,
+ SEM__CREATE, &ad);
}
static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
@@ -6517,8 +6518,8 @@ static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->key;
- return cred_has_perm(current_cred(), isec->sid, SECCLASS_SEM,
- SEM__ASSOCIATE, &ad);
+ return cred_tsid_has_perm(current_cred(), isec->sid, SECCLASS_SEM,
+ SEM__ASSOCIATE, &ad);
}
/* Note, at this point, sma is locked down */
@@ -6531,9 +6532,9 @@ static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
case IPC_INFO:
case SEM_INFO:
/* No specific object, just general system-wide information. */
- return cred_has_perm(current_cred(), SECINITSID_KERNEL,
- SECCLASS_SYSTEM, SYSTEM__IPC_INFO,
- NULL);
+ return cred_tsid_has_perm(current_cred(), SECINITSID_KERNEL,
+ SECCLASS_SYSTEM, SYSTEM__IPC_INFO,
+ NULL);
case GETPID:
case GETNCNT:
case GETZCNT:
@@ -6762,8 +6763,8 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
tsec->create_sid = sid;
} else if (attr == LSM_ATTR_KEYCREATE) {
if (sid) {
- error = cred_has_perm(cred, sid, SECCLASS_KEY,
- KEY__CREATE, NULL);
+ error = cred_tsid_has_perm(cred, sid, SECCLASS_KEY,
+ KEY__CREATE, NULL);
if (error)
goto abort_change;
}
@@ -7022,7 +7023,7 @@ static int selinux_key_permission(key_ref_t key_ref,
key = key_ref_to_ptr(key_ref);
ksec = selinux_key(key);
- return cred_has_perm(cred, ksec->sid, SECCLASS_KEY, perm, NULL);
+ return cred_tsid_has_perm(cred, ksec->sid, SECCLASS_KEY, perm, NULL);
}
static int selinux_key_getsecurity(struct key *key, char **_buffer)
@@ -7045,8 +7046,8 @@ static int selinux_watch_key(struct key *key)
{
struct key_security_struct *ksec = selinux_key(key);
- return cred_has_perm(current_cred(), ksec->sid, SECCLASS_KEY,
- KEY__VIEW, NULL);
+ return cred_tsid_has_perm(current_cred(), ksec->sid, SECCLASS_KEY,
+ KEY__VIEW, NULL);
}
#endif
#endif
@@ -7161,15 +7162,15 @@ static int bpf_fd_pass(const struct file *file, const struct cred *cred)
if (file->f_op == &bpf_map_fops) {
map = file->private_data;
bpfsec = map->security;
- ret = cred_has_perm(cred, bpfsec->sid, SECCLASS_BPF,
- bpf_map_fmode_to_av(file->f_mode), NULL);
+ ret = cred_tsid_has_perm(cred, bpfsec->sid, SECCLASS_BPF,
+ bpf_map_fmode_to_av(file->f_mode), NULL);
if (ret)
return ret;
} else if (file->f_op == &bpf_prog_fops) {
prog = file->private_data;
bpfsec = prog->aux->security;
- ret = cred_has_perm(cred, bpfsec->sid, SECCLASS_BPF,
- BPF__PROG_RUN, NULL);
+ ret = cred_tsid_has_perm(cred, bpfsec->sid, SECCLASS_BPF,
+ BPF__PROG_RUN, NULL);
if (ret)
return ret;
}
@@ -7181,8 +7182,8 @@ static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
struct bpf_security_struct *bpfsec;
bpfsec = map->security;
- return cred_has_perm(current_cred(), bpfsec->sid, SECCLASS_BPF,
- bpf_map_fmode_to_av(fmode), NULL);
+ return cred_tsid_has_perm(current_cred(), bpfsec->sid, SECCLASS_BPF,
+ bpf_map_fmode_to_av(fmode), NULL);
}
static int selinux_bpf_prog(struct bpf_prog *prog)
@@ -7190,8 +7191,8 @@ static int selinux_bpf_prog(struct bpf_prog *prog)
struct bpf_security_struct *bpfsec;
bpfsec = prog->aux->security;
- return cred_has_perm(current_cred(), bpfsec->sid, SECCLASS_BPF,
- BPF__PROG_RUN, NULL);
+ return cred_tsid_has_perm(current_cred(), bpfsec->sid, SECCLASS_BPF,
+ BPF__PROG_RUN, NULL);
}
static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
@@ -7315,16 +7316,16 @@ static int selinux_perf_event_read(struct perf_event *event)
{
struct perf_event_security_struct *perfsec = event->security;
- return cred_has_perm(current_cred(), perfsec->sid,
- SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
+ return cred_tsid_has_perm(current_cred(), perfsec->sid,
+ SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
}
static int selinux_perf_event_write(struct perf_event *event)
{
struct perf_event_security_struct *perfsec = event->security;
- return cred_has_perm(current_cred(), perfsec->sid,
- SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
+ return cred_tsid_has_perm(current_cred(), perfsec->sid,
+ SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
}
#endif
@@ -7372,8 +7373,8 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
ad.type = LSM_AUDIT_DATA_FILE;
ad.u.file = file;
- return cred_has_perm(current_cred(), isec->sid,
- SECCLASS_IO_URING, IO_URING__CMD, &ad);
+ return cred_tsid_has_perm(current_cred(), isec->sid,
+ SECCLASS_IO_URING, IO_URING__CMD, &ad);
}
/**
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 9def47812034..1916ee418aa3 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -159,11 +159,11 @@ int cred_self_has_perm(const struct cred *cred, u16 tclass, u32 requested,
int cred_self_has_perm_noaudit(const struct cred *cred, u16 tclass,
u32 requested);
-int cred_has_perm(const struct cred *cred, u32 tsid, u16 tclass, u32 requested,
- struct common_audit_data *ad);
+int cred_tsid_has_perm(const struct cred *cred, u32 tsid, u16 tclass,
+ u32 requested, struct common_audit_data *ad);
-int cred_has_perm_noaudit(const struct cred *cred, u32 tsid, u16 tclass,
- u32 requested, struct av_decision *avd);
+int cred_tsid_has_perm_noaudit(const struct cred *cred, u32 tsid, u16 tclass,
+ u32 requested, struct av_decision *avd);
int cred_ssid_has_perm(const struct cred *cred, u32 ssid, u32 tsid, u16 tclass,
u32 requested, struct common_audit_data *ad);
--
2.49.0
Powered by blists - more mailing lists