| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-31-stephen.smalley.work@gmail.com>
Date: Tue, 10 Jun 2025 13:22:01 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: selinux@...r.kernel.org
Cc: paul@...l-moore.com,
omosnace@...hat.com,
netdev@...r.kernel.org,
Stephen Smalley <stephen.smalley.work@...il.com>
Subject: [PATCH v4 30/42] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper
Convert selinux_file_send_sigiotask() to use the cred_task_has_perm()
namespace-aware permission checking helper. This required saving the
file owner cred in the file security blob for later use in this hook
function. Since the cred already includes the cred/task security blob
which has the task SID and the SELinux state/namespace, we can drop
those separate fields from the file_security_struct at the same time.
Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com>
---
security/selinux/hooks.c | 15 ++++++---------
security/selinux/include/objsec.h | 3 +--
2 files changed, 7 insertions(+), 11 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 2e2aa80b76af..25f7b9dd77d4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3825,8 +3825,7 @@ static int selinux_file_alloc_security(struct file *file)
u32 sid = current_sid();
fsec->sid = sid;
- fsec->fown_sid = sid;
- fsec->state = get_selinux_state(current_selinux_state);
+ fsec->cred = get_cred(current_cred());
return 0;
}
@@ -3835,8 +3834,7 @@ static void selinux_file_free_security(struct file *file)
{
struct file_security_struct *fsec = selinux_file(file);
- put_selinux_state(fsec->state);
- fsec->state = NULL;
+ put_cred(fsec->cred);
}
/*
@@ -4119,14 +4117,14 @@ static void selinux_file_set_fowner(struct file *file)
struct file_security_struct *fsec;
fsec = selinux_file(file);
- fsec->fown_sid = current_sid();
+ put_cred(fsec->cred);
+ fsec->cred = get_cred(current_cred());
}
static int selinux_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int signum)
{
struct file *file;
- u32 sid = task_sid_obj(tsk);
u32 perm;
struct file_security_struct *fsec;
@@ -4140,9 +4138,8 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
else
perm = signal_to_av(signum);
- return avc_has_perm(fsec->state,
- fsec->fown_sid, sid,
- SECCLASS_PROCESS, perm, NULL);
+ return cred_task_has_perm(fsec->cred, tsk, SECCLASS_PROCESS, perm,
+ NULL);
}
static int selinux_file_receive(struct file *file)
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 18736dd23441..65c529ae7f75 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -48,10 +48,9 @@ struct inode_security_struct {
struct file_security_struct {
u32 sid; /* SID of open file description */
- u32 fown_sid; /* SID of file owner (for SIGIO) */
u32 isid; /* SID of inode at the time of file open */
u32 pseqno; /* Policy seqno at the time of file open */
- struct selinux_state *state; /* SELinux state */
+ const struct cred *cred; /* cred for file owner (for SIGIO) */
};
struct superblock_security_struct {
--
2.49.0
Powered by blists - more mailing lists