| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-34-stephen.smalley.work@gmail.com>
Date: Tue, 10 Jun 2025 13:22:04 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: selinux@...r.kernel.org
Cc: paul@...l-moore.com,
omosnace@...hat.com,
netdev@...r.kernel.org,
Stephen Smalley <stephen.smalley.work@...il.com>
Subject: [PATCH v4 33/42] selinux: convert additional checks to cred_ssid_has_perm()
Convert additional permission checks in the hook functions to
use the namespace-aware cred_ssid_has_perm() helper function.
In particular, the following hook functions are updated:
selinux_socket_bind()
selinux_socket_connect_helper()
selinux_socket_unix_stream_connect()
selinux_socket_unix_may_send()
selinux_msg_queue_msgrcv()
In each of these cases, the check is between two object SIDs
and does not use the current cred SID.
selinux_msg_queue_msgrcv() may bear revisiting since the
source SID is the SID of the receiving task (not current).
An alternative would be to use the receiving task's cred
and the cred_tsid_has_perm() helper for these checks.
Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com>
---
security/selinux/hooks.c | 44 ++++++++++++++++++++--------------------
1 file changed, 22 insertions(+), 22 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c04eda2f18fc..d13749aa5f24 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4914,6 +4914,7 @@ static int selinux_socket_socketpair(struct socket *socka,
static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
{
+ const struct cred *cred = current_cred();
struct sock *sk = sock->sk;
struct sk_security_struct *sksec = selinux_sock(sk);
u16 family;
@@ -4995,10 +4996,10 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
snum, &sid);
if (err)
goto out;
- err = avc_has_perm(current_selinux_state,
- sksec->sid, sid,
- sksec->sclass,
- SOCKET__NAME_BIND, &ad);
+ err = cred_ssid_has_perm(cred, sksec->sid,
+ sid, sksec->sclass,
+ SOCKET__NAME_BIND,
+ &ad);
if (err)
goto out;
}
@@ -5032,9 +5033,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
else
ad.u.net->v6info.saddr = addr6->sin6_addr;
- err = avc_has_perm(current_selinux_state,
- sksec->sid, sid,
- sksec->sclass, node_perm, &ad);
+ err = cred_ssid_has_perm(cred, sksec->sid, sid,
+ sksec->sclass, node_perm, &ad);
if (err)
goto out;
}
@@ -5053,6 +5053,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
static int selinux_socket_connect_helper(struct socket *sock,
struct sockaddr *address, int addrlen)
{
+ const struct cred *cred = current_cred();
struct sock *sk = sock->sk;
struct sk_security_struct *sksec = selinux_sock(sk);
int err;
@@ -5127,8 +5128,8 @@ static int selinux_socket_connect_helper(struct socket *sock,
ad.u.net = &net;
ad.u.net->dport = htons(snum);
ad.u.net->family = address->sa_family;
- err = avc_has_perm(current_selinux_state,
- sksec->sid, sid, sksec->sclass, perm, &ad);
+ err = cred_ssid_has_perm(cred, sksec->sid, sid,
+ sksec->sclass, perm, &ad);
if (err)
return err;
}
@@ -5229,6 +5230,7 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
struct sock *other,
struct sock *newsk)
{
+ const struct cred *cred = current_cred();
struct sk_security_struct *sksec_sock = selinux_sock(sock);
struct sk_security_struct *sksec_other = selinux_sock(other);
struct sk_security_struct *sksec_new = selinux_sock(newsk);
@@ -5238,10 +5240,9 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
ad_net_init_from_sk(&ad, &net, other);
- err = avc_has_perm(current_selinux_state,
- sksec_sock->sid, sksec_other->sid,
- sksec_other->sclass,
- UNIX_STREAM_SOCKET__CONNECTTO, &ad);
+ err = cred_ssid_has_perm(cred, sksec_sock->sid, sksec_other->sid,
+ sksec_other->sclass,
+ UNIX_STREAM_SOCKET__CONNECTTO, &ad);
if (err)
return err;
@@ -5261,6 +5262,7 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
static int selinux_socket_unix_may_send(struct socket *sock,
struct socket *other)
{
+ const struct cred *cred = current_cred();
struct sk_security_struct *ssec = selinux_sock(sock->sk);
struct sk_security_struct *osec = selinux_sock(other->sk);
struct common_audit_data ad;
@@ -5268,9 +5270,8 @@ static int selinux_socket_unix_may_send(struct socket *sock,
ad_net_init_from_sk(&ad, &net, other->sk);
- return avc_has_perm(current_selinux_state,
- ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
- &ad);
+ return cred_ssid_has_perm(cred, ssec->sid, osec->sid, osec->sclass,
+ SOCKET__SENDTO, &ad);
}
static int selinux_inet_sys_rcv_skb(struct selinux_state *state,
@@ -6393,6 +6394,7 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m
struct task_struct *target,
long type, int mode)
{
+ const struct cred *cred = current_cred();
struct ipc_security_struct *isec;
struct msg_security_struct *msec;
struct common_audit_data ad;
@@ -6405,13 +6407,11 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->key;
- rc = avc_has_perm(current_selinux_state,
- sid, isec->sid,
- SECCLASS_MSGQ, MSGQ__READ, &ad);
+ rc = cred_ssid_has_perm(cred, sid, isec->sid, SECCLASS_MSGQ,
+ MSGQ__READ, &ad);
if (!rc)
- rc = avc_has_perm(current_selinux_state,
- sid, msec->sid,
- SECCLASS_MSG, MSG__RECEIVE, &ad);
+ rc = cred_ssid_has_perm(cred, sid, msec->sid,
+ SECCLASS_MSG, MSG__RECEIVE, &ad);
return rc;
}
--
2.49.0
Powered by blists - more mailing lists