lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-34-stephen.smalley.work@gmail.com> Date: Tue, 10 Jun 2025 13:22:04 -0400 From: Stephen Smalley <stephen.smalley.work@...il.com> To: selinux@...r.kernel.org Cc: paul@...l-moore.com, omosnace@...hat.com, netdev@...r.kernel.org, Stephen Smalley <stephen.smalley.work@...il.com> Subject: [PATCH v4 33/42] selinux: convert additional checks to cred_ssid_has_perm() Convert additional permission checks in the hook functions to use the namespace-aware cred_ssid_has_perm() helper function. In particular, the following hook functions are updated: selinux_socket_bind() selinux_socket_connect_helper() selinux_socket_unix_stream_connect() selinux_socket_unix_may_send() selinux_msg_queue_msgrcv() In each of these cases, the check is between two object SIDs and does not use the current cred SID. selinux_msg_queue_msgrcv() may bear revisiting since the source SID is the SID of the receiving task (not current). An alternative would be to use the receiving task's cred and the cred_tsid_has_perm() helper for these checks. Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com> --- security/selinux/hooks.c | 44 ++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c04eda2f18fc..d13749aa5f24 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4914,6 +4914,7 @@ static int selinux_socket_socketpair(struct socket *socka, static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) { + const struct cred *cred = current_cred(); struct sock *sk = sock->sk; struct sk_security_struct *sksec = selinux_sock(sk); u16 family; @@ -4995,10 +4996,10 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in snum, &sid); if (err) goto out; - err = avc_has_perm(current_selinux_state, - sksec->sid, sid, - sksec->sclass, - SOCKET__NAME_BIND, &ad); + err = cred_ssid_has_perm(cred, sksec->sid, + sid, sksec->sclass, + SOCKET__NAME_BIND, + &ad); if (err) goto out; } @@ -5032,9 +5033,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in else ad.u.net->v6info.saddr = addr6->sin6_addr; - err = avc_has_perm(current_selinux_state, - sksec->sid, sid, - sksec->sclass, node_perm, &ad); + err = cred_ssid_has_perm(cred, sksec->sid, sid, + sksec->sclass, node_perm, &ad); if (err) goto out; } @@ -5053,6 +5053,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in static int selinux_socket_connect_helper(struct socket *sock, struct sockaddr *address, int addrlen) { + const struct cred *cred = current_cred(); struct sock *sk = sock->sk; struct sk_security_struct *sksec = selinux_sock(sk); int err; @@ -5127,8 +5128,8 @@ static int selinux_socket_connect_helper(struct socket *sock, ad.u.net = &net; ad.u.net->dport = htons(snum); ad.u.net->family = address->sa_family; - err = avc_has_perm(current_selinux_state, - sksec->sid, sid, sksec->sclass, perm, &ad); + err = cred_ssid_has_perm(cred, sksec->sid, sid, + sksec->sclass, perm, &ad); if (err) return err; } @@ -5229,6 +5230,7 @@ static int selinux_socket_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) { + const struct cred *cred = current_cred(); struct sk_security_struct *sksec_sock = selinux_sock(sock); struct sk_security_struct *sksec_other = selinux_sock(other); struct sk_security_struct *sksec_new = selinux_sock(newsk); @@ -5238,10 +5240,9 @@ static int selinux_socket_unix_stream_connect(struct sock *sock, ad_net_init_from_sk(&ad, &net, other); - err = avc_has_perm(current_selinux_state, - sksec_sock->sid, sksec_other->sid, - sksec_other->sclass, - UNIX_STREAM_SOCKET__CONNECTTO, &ad); + err = cred_ssid_has_perm(cred, sksec_sock->sid, sksec_other->sid, + sksec_other->sclass, + UNIX_STREAM_SOCKET__CONNECTTO, &ad); if (err) return err; @@ -5261,6 +5262,7 @@ static int selinux_socket_unix_stream_connect(struct sock *sock, static int selinux_socket_unix_may_send(struct socket *sock, struct socket *other) { + const struct cred *cred = current_cred(); struct sk_security_struct *ssec = selinux_sock(sock->sk); struct sk_security_struct *osec = selinux_sock(other->sk); struct common_audit_data ad; @@ -5268,9 +5270,8 @@ static int selinux_socket_unix_may_send(struct socket *sock, ad_net_init_from_sk(&ad, &net, other->sk); - return avc_has_perm(current_selinux_state, - ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, - &ad); + return cred_ssid_has_perm(cred, ssec->sid, osec->sid, osec->sclass, + SOCKET__SENDTO, &ad); } static int selinux_inet_sys_rcv_skb(struct selinux_state *state, @@ -6393,6 +6394,7 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m struct task_struct *target, long type, int mode) { + const struct cred *cred = current_cred(); struct ipc_security_struct *isec; struct msg_security_struct *msec; struct common_audit_data ad; @@ -6405,13 +6407,11 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = msq->key; - rc = avc_has_perm(current_selinux_state, - sid, isec->sid, - SECCLASS_MSGQ, MSGQ__READ, &ad); + rc = cred_ssid_has_perm(cred, sid, isec->sid, SECCLASS_MSGQ, + MSGQ__READ, &ad); if (!rc) - rc = avc_has_perm(current_selinux_state, - sid, msec->sid, - SECCLASS_MSG, MSG__RECEIVE, &ad); + rc = cred_ssid_has_perm(cred, sid, msec->sid, + SECCLASS_MSG, MSG__RECEIVE, &ad); return rc; } -- 2.49.0
Powered by blists - more mailing lists