lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-31-stephen.smalley.work@gmail.com> Date: Tue, 10 Jun 2025 13:22:01 -0400 From: Stephen Smalley <stephen.smalley.work@...il.com> To: selinux@...r.kernel.org Cc: paul@...l-moore.com, omosnace@...hat.com, netdev@...r.kernel.org, Stephen Smalley <stephen.smalley.work@...il.com> Subject: [PATCH v4 30/42] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper Convert selinux_file_send_sigiotask() to use the cred_task_has_perm() namespace-aware permission checking helper. This required saving the file owner cred in the file security blob for later use in this hook function. Since the cred already includes the cred/task security blob which has the task SID and the SELinux state/namespace, we can drop those separate fields from the file_security_struct at the same time. Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com> --- security/selinux/hooks.c | 15 ++++++--------- security/selinux/include/objsec.h | 3 +-- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2e2aa80b76af..25f7b9dd77d4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3825,8 +3825,7 @@ static int selinux_file_alloc_security(struct file *file) u32 sid = current_sid(); fsec->sid = sid; - fsec->fown_sid = sid; - fsec->state = get_selinux_state(current_selinux_state); + fsec->cred = get_cred(current_cred()); return 0; } @@ -3835,8 +3834,7 @@ static void selinux_file_free_security(struct file *file) { struct file_security_struct *fsec = selinux_file(file); - put_selinux_state(fsec->state); - fsec->state = NULL; + put_cred(fsec->cred); } /* @@ -4119,14 +4117,14 @@ static void selinux_file_set_fowner(struct file *file) struct file_security_struct *fsec; fsec = selinux_file(file); - fsec->fown_sid = current_sid(); + put_cred(fsec->cred); + fsec->cred = get_cred(current_cred()); } static int selinux_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown, int signum) { struct file *file; - u32 sid = task_sid_obj(tsk); u32 perm; struct file_security_struct *fsec; @@ -4140,9 +4138,8 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, else perm = signal_to_av(signum); - return avc_has_perm(fsec->state, - fsec->fown_sid, sid, - SECCLASS_PROCESS, perm, NULL); + return cred_task_has_perm(fsec->cred, tsk, SECCLASS_PROCESS, perm, + NULL); } static int selinux_file_receive(struct file *file) diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 18736dd23441..65c529ae7f75 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -48,10 +48,9 @@ struct inode_security_struct { struct file_security_struct { u32 sid; /* SID of open file description */ - u32 fown_sid; /* SID of file owner (for SIGIO) */ u32 isid; /* SID of inode at the time of file open */ u32 pseqno; /* Policy seqno at the time of file open */ - struct selinux_state *state; /* SELinux state */ + const struct cred *cred; /* cred for file owner (for SIGIO) */ }; struct superblock_security_struct { -- 2.49.0
Powered by blists - more mailing lists