| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-25-stephen.smalley.work@gmail.com>
Date: Tue, 10 Jun 2025 13:21:55 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: selinux@...r.kernel.org
Cc: paul@...l-moore.com,
omosnace@...hat.com,
netdev@...r.kernel.org,
Stephen Smalley <stephen.smalley.work@...il.com>
Subject: [PATCH v4 24/42] selinux: introduce cred_self_has_perm()
Introduce a cred_self_has_perm() function for checking permissions
between a cred and itself against the current SELinux namespace
and all ancestors. Also provide a cred_self_has_perm_noaudit() variant
for use where auditing is not desired.
Update existing permission checks in the hook functions to use this
new helper.
Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com>
---
security/selinux/avc.c | 47 +++++++++++++++++
security/selinux/hooks.c | 92 ++++++++++++----------------------
security/selinux/include/avc.h | 6 +++
3 files changed, 86 insertions(+), 59 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index cf0161404bf5..d5902f643a41 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -1317,6 +1317,53 @@ int cred_has_extended_perms(const struct cred *cred, u32 tsid, u16 tclass,
return 0;
}
+int cred_self_has_perm(const struct cred *cred, u16 tclass, u32 requested,
+ struct common_audit_data *ad)
+{
+ struct task_security_struct *tsec;
+ struct selinux_state *state;
+ u32 ssid;
+ int rc;
+
+ do {
+ tsec = selinux_cred(cred);
+ ssid = tsec->sid;
+ state = tsec->state;
+ rc = avc_has_perm(state, ssid, ssid, tclass, requested, ad);
+ if (rc)
+ return rc;
+
+ cred = tsec->parent_cred;
+ } while (cred);
+
+ return 0;
+}
+
+int cred_self_has_perm_noaudit(const struct cred *cred, u16 tclass,
+ u32 requested)
+{
+ struct task_security_struct *tsec;
+ struct selinux_state *state;
+ u32 ssid;
+ struct av_decision avd;
+ int rc;
+
+ do {
+ tsec = selinux_cred(cred);
+ ssid = tsec->sid;
+ state = tsec->state;
+
+ rc = avc_has_perm_noaudit(state, ssid, ssid, tclass,
+ requested, 0, &avd);
+ if (rc)
+ return rc;
+
+ cred = tsec->parent_cred;
+ } while (cred);
+
+ return 0;
+}
+
u32 avc_policy_seqno(struct selinux_state *state)
{
return state->avc->avc_cache.latest_notif;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 2112da2f5d4d..74dc35ee67dc 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1658,9 +1658,7 @@ static int cred_has_capability(const struct cred *cred,
int cap, unsigned int opts, bool initns)
{
struct common_audit_data ad;
- struct av_decision avd;
u16 sclass;
- u32 sid = cred_sid(cred);
u32 av = CAP_TO_MASK(cap);
int rc;
@@ -1680,14 +1678,11 @@ static int cred_has_capability(const struct cred *cred,
return -EINVAL;
}
- rc = avc_has_perm_noaudit(cred_selinux_state(cred),
- sid, sid, sclass, av, 0, &avd);
- if (!(opts & CAP_OPT_NOAUDIT)) {
- int rc2 = avc_audit(cred_selinux_state(cred),
- sid, sid, sclass, av, &avd, rc, &ad);
- if (rc2)
- return rc2;
- }
+ if (opts & CAP_OPT_NOAUDIT)
+ rc = cred_self_has_perm_noaudit(cred, sclass, av);
+ else
+ rc = cred_self_has_perm(cred, sclass, av, &ad);
+
return rc;
}
@@ -3975,7 +3970,6 @@ static int default_noexec __ro_after_init;
static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
{
const struct cred *cred = current_cred();
- u32 sid = cred_sid(cred);
int rc = 0;
if (default_noexec &&
@@ -3986,9 +3980,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
* private file mapping that will also be writable.
* This has an additional check.
*/
- rc = avc_has_perm(cred_selinux_state(cred),
- sid, sid, SECCLASS_PROCESS,
- PROCESS__EXECMEM, NULL);
+ rc = cred_self_has_perm(cred, SECCLASS_PROCESS,
+ PROCESS__EXECMEM, NULL);
if (rc)
goto error;
}
@@ -4016,10 +4009,8 @@ static int selinux_mmap_addr(unsigned long addr)
int rc = 0;
if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
- u32 sid = current_sid();
- rc = avc_has_perm(current_selinux_state,
- sid, sid, SECCLASS_MEMPROTECT,
- MEMPROTECT__MMAP_ZERO, NULL);
+ rc = cred_self_has_perm(current_cred(), SECCLASS_MEMPROTECT,
+ MEMPROTECT__MMAP_ZERO, NULL);
}
return rc;
@@ -4050,7 +4041,6 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
unsigned long prot)
{
const struct cred *cred = current_cred();
- u32 sid = cred_sid(cred);
if (default_noexec &&
(prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
@@ -4066,14 +4056,12 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
*/
if (vma->vm_start >= vma->vm_mm->start_brk &&
vma->vm_end <= vma->vm_mm->brk) {
- rc = avc_has_perm(cred_selinux_state(cred), sid, sid,
- SECCLASS_PROCESS, PROCESS__EXECHEAP,
- NULL);
+ rc = cred_self_has_perm(cred, SECCLASS_PROCESS,
+ PROCESS__EXECHEAP, NULL);
} else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
vma_is_stack_for_current(vma))) {
- rc = avc_has_perm(cred_selinux_state(cred), sid, sid,
- SECCLASS_PROCESS, PROCESS__EXECSTACK,
- NULL);
+ rc = cred_self_has_perm(cred, SECCLASS_PROCESS,
+ PROCESS__EXECSTACK, NULL);
} else if (vma->vm_file && vma->anon_vma) {
/*
* We are making executable a file mapping that has
@@ -4208,10 +4196,8 @@ static int selinux_file_open(struct file *file)
static int selinux_task_alloc(struct task_struct *task,
unsigned long clone_flags)
{
- u32 sid = current_sid();
-
- return avc_has_perm(current_selinux_state,
- sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__FORK, NULL);
}
/*
@@ -4333,9 +4319,8 @@ static int selinux_kernel_load_from_file(struct file *file, u32 requested)
int rc;
if (file == NULL)
- return avc_has_perm(current_selinux_state,
- sid, sid, SECCLASS_SYSTEM, requested,
- NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_SYSTEM,
+ requested, NULL);
/* finit_module */
ad.type = LSM_AUDIT_DATA_FILE;
@@ -4556,10 +4541,8 @@ static void selinux_task_to_inode(struct task_struct *p,
static int selinux_userns_create(const struct cred *cred)
{
- u32 sid = current_sid();
-
- return avc_has_perm(current_selinux_state, sid, sid, SECCLASS_USER_NAMESPACE,
- USER_NAMESPACE__CREATE, NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_USER_NAMESPACE,
+ USER_NAMESPACE__CREATE, NULL);
}
/* Returns error only if unable to parse addresses */
@@ -6743,29 +6726,24 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
*/
switch (attr) {
case LSM_ATTR_EXEC:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETEXEC, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETEXEC, NULL);
break;
case LSM_ATTR_FSCREATE:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETFSCREATE, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETFSCREATE, NULL);
break;
case LSM_ATTR_KEYCREATE:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETKEYCREATE, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETKEYCREATE, NULL);
break;
case LSM_ATTR_SOCKCREATE:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETSOCKCREATE, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETSOCKCREATE, NULL);
break;
case LSM_ATTR_CURRENT:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETCURRENT, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETCURRENT, NULL);
break;
default:
error = -EOPNOTSUPP;
@@ -7432,10 +7410,8 @@ static int selinux_uring_override_creds(const struct cred *new)
*/
static int selinux_uring_sqpoll(void)
{
- u32 sid = current_sid();
-
- return avc_has_perm(current_selinux_state, sid, sid,
- SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_IO_URING,
+ IO_URING__SQPOLL, NULL);
}
/**
@@ -7467,10 +7443,8 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
*/
static int selinux_uring_allowed(void)
{
- u32 sid = current_sid();
-
- return avc_has_perm(current_selinux_state, sid, sid,
- SECCLASS_IO_URING, IO_URING__ALLOWED, NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_IO_URING,
+ IO_URING__ALLOWED, NULL);
}
#endif /* CONFIG_IO_URING */
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index d00c9ecf5d91..25a4c438001e 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -154,6 +154,12 @@ int cred_has_extended_perms(const struct cred *cred, u32 tsid, u16 tclass,
u32 requested, u8 driver, u8 base_perm, u8 xperm,
struct common_audit_data *ad);
+int cred_self_has_perm(const struct cred *cred, u16 tclass, u32 requested,
+ struct common_audit_data *ad);
+
+int cred_self_has_perm_noaudit(const struct cred *cred, u16 tclass,
+ u32 requested);
+
u32 avc_policy_seqno(struct selinux_state *state);
#define AVC_CALLBACK_GRANT 1
--
2.49.0
Powered by blists - more mailing lists