lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-25-stephen.smalley.work@gmail.com> Date: Tue, 10 Jun 2025 13:21:55 -0400 From: Stephen Smalley <stephen.smalley.work@...il.com> To: selinux@...r.kernel.org Cc: paul@...l-moore.com, omosnace@...hat.com, netdev@...r.kernel.org, Stephen Smalley <stephen.smalley.work@...il.com> Subject: [PATCH v4 24/42] selinux: introduce cred_self_has_perm() Introduce a cred_self_has_perm() function for checking permissions between a cred and itself against the current SELinux namespace and all ancestors. Also provide a cred_self_has_perm_noaudit() variant for use where auditing is not desired. Update existing permission checks in the hook functions to use this new helper. Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com> --- security/selinux/avc.c | 47 +++++++++++++++++ security/selinux/hooks.c | 92 ++++++++++++---------------------- security/selinux/include/avc.h | 6 +++ 3 files changed, 86 insertions(+), 59 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index cf0161404bf5..d5902f643a41 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -1317,6 +1317,53 @@ int cred_has_extended_perms(const struct cred *cred, u32 tsid, u16 tclass, return 0; } +int cred_self_has_perm(const struct cred *cred, u16 tclass, u32 requested, + struct common_audit_data *ad) +{ + struct task_security_struct *tsec; + struct selinux_state *state; + u32 ssid; + int rc; + + do { + tsec = selinux_cred(cred); + ssid = tsec->sid; + state = tsec->state; + rc = avc_has_perm(state, ssid, ssid, tclass, requested, ad); + if (rc) + return rc; + + cred = tsec->parent_cred; + } while (cred); + + return 0; +} + +int cred_self_has_perm_noaudit(const struct cred *cred, u16 tclass, + u32 requested) +{ + struct task_security_struct *tsec; + struct selinux_state *state; + u32 ssid; + struct av_decision avd; + int rc; + + do { + tsec = selinux_cred(cred); + ssid = tsec->sid; + state = tsec->state; + + rc = avc_has_perm_noaudit(state, ssid, ssid, tclass, + requested, 0, &avd); + if (rc) + return rc; + + cred = tsec->parent_cred; + } while (cred); + + return 0; +} + u32 avc_policy_seqno(struct selinux_state *state) { return state->avc->avc_cache.latest_notif; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2112da2f5d4d..74dc35ee67dc 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1658,9 +1658,7 @@ static int cred_has_capability(const struct cred *cred, int cap, unsigned int opts, bool initns) { struct common_audit_data ad; - struct av_decision avd; u16 sclass; - u32 sid = cred_sid(cred); u32 av = CAP_TO_MASK(cap); int rc; @@ -1680,14 +1678,11 @@ static int cred_has_capability(const struct cred *cred, return -EINVAL; } - rc = avc_has_perm_noaudit(cred_selinux_state(cred), - sid, sid, sclass, av, 0, &avd); - if (!(opts & CAP_OPT_NOAUDIT)) { - int rc2 = avc_audit(cred_selinux_state(cred), - sid, sid, sclass, av, &avd, rc, &ad); - if (rc2) - return rc2; - } + if (opts & CAP_OPT_NOAUDIT) + rc = cred_self_has_perm_noaudit(cred, sclass, av); + else + rc = cred_self_has_perm(cred, sclass, av, &ad); + return rc; } @@ -3975,7 +3970,6 @@ static int default_noexec __ro_after_init; static int file_map_prot_check(struct file *file, unsigned long prot, int shared) { const struct cred *cred = current_cred(); - u32 sid = cred_sid(cred); int rc = 0; if (default_noexec && @@ -3986,9 +3980,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared * private file mapping that will also be writable. * This has an additional check. */ - rc = avc_has_perm(cred_selinux_state(cred), - sid, sid, SECCLASS_PROCESS, - PROCESS__EXECMEM, NULL); + rc = cred_self_has_perm(cred, SECCLASS_PROCESS, + PROCESS__EXECMEM, NULL); if (rc) goto error; } @@ -4016,10 +4009,8 @@ static int selinux_mmap_addr(unsigned long addr) int rc = 0; if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { - u32 sid = current_sid(); - rc = avc_has_perm(current_selinux_state, - sid, sid, SECCLASS_MEMPROTECT, - MEMPROTECT__MMAP_ZERO, NULL); + rc = cred_self_has_perm(current_cred(), SECCLASS_MEMPROTECT, + MEMPROTECT__MMAP_ZERO, NULL); } return rc; @@ -4050,7 +4041,6 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, unsigned long prot) { const struct cred *cred = current_cred(); - u32 sid = cred_sid(cred); if (default_noexec && (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { @@ -4066,14 +4056,12 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, */ if (vma->vm_start >= vma->vm_mm->start_brk && vma->vm_end <= vma->vm_mm->brk) { - rc = avc_has_perm(cred_selinux_state(cred), sid, sid, - SECCLASS_PROCESS, PROCESS__EXECHEAP, - NULL); + rc = cred_self_has_perm(cred, SECCLASS_PROCESS, + PROCESS__EXECHEAP, NULL); } else if (!vma->vm_file && (vma_is_initial_stack(vma) || vma_is_stack_for_current(vma))) { - rc = avc_has_perm(cred_selinux_state(cred), sid, sid, - SECCLASS_PROCESS, PROCESS__EXECSTACK, - NULL); + rc = cred_self_has_perm(cred, SECCLASS_PROCESS, + PROCESS__EXECSTACK, NULL); } else if (vma->vm_file && vma->anon_vma) { /* * We are making executable a file mapping that has @@ -4208,10 +4196,8 @@ static int selinux_file_open(struct file *file) static int selinux_task_alloc(struct task_struct *task, unsigned long clone_flags) { - u32 sid = current_sid(); - - return avc_has_perm(current_selinux_state, - sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); + return cred_self_has_perm(current_cred(), SECCLASS_PROCESS, + PROCESS__FORK, NULL); } /* @@ -4333,9 +4319,8 @@ static int selinux_kernel_load_from_file(struct file *file, u32 requested) int rc; if (file == NULL) - return avc_has_perm(current_selinux_state, - sid, sid, SECCLASS_SYSTEM, requested, - NULL); + return cred_self_has_perm(current_cred(), SECCLASS_SYSTEM, + requested, NULL); /* finit_module */ ad.type = LSM_AUDIT_DATA_FILE; @@ -4556,10 +4541,8 @@ static void selinux_task_to_inode(struct task_struct *p, static int selinux_userns_create(const struct cred *cred) { - u32 sid = current_sid(); - - return avc_has_perm(current_selinux_state, sid, sid, SECCLASS_USER_NAMESPACE, - USER_NAMESPACE__CREATE, NULL); + return cred_self_has_perm(current_cred(), SECCLASS_USER_NAMESPACE, + USER_NAMESPACE__CREATE, NULL); } /* Returns error only if unable to parse addresses */ @@ -6743,29 +6726,24 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size) */ switch (attr) { case LSM_ATTR_EXEC: - error = avc_has_perm(current_selinux_state, - mysid, mysid, SECCLASS_PROCESS, - PROCESS__SETEXEC, NULL); + error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS, + PROCESS__SETEXEC, NULL); break; case LSM_ATTR_FSCREATE: - error = avc_has_perm(current_selinux_state, - mysid, mysid, SECCLASS_PROCESS, - PROCESS__SETFSCREATE, NULL); + error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS, + PROCESS__SETFSCREATE, NULL); break; case LSM_ATTR_KEYCREATE: - error = avc_has_perm(current_selinux_state, - mysid, mysid, SECCLASS_PROCESS, - PROCESS__SETKEYCREATE, NULL); + error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS, + PROCESS__SETKEYCREATE, NULL); break; case LSM_ATTR_SOCKCREATE: - error = avc_has_perm(current_selinux_state, - mysid, mysid, SECCLASS_PROCESS, - PROCESS__SETSOCKCREATE, NULL); + error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS, + PROCESS__SETSOCKCREATE, NULL); break; case LSM_ATTR_CURRENT: - error = avc_has_perm(current_selinux_state, - mysid, mysid, SECCLASS_PROCESS, - PROCESS__SETCURRENT, NULL); + error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS, + PROCESS__SETCURRENT, NULL); break; default: error = -EOPNOTSUPP; @@ -7432,10 +7410,8 @@ static int selinux_uring_override_creds(const struct cred *new) */ static int selinux_uring_sqpoll(void) { - u32 sid = current_sid(); - - return avc_has_perm(current_selinux_state, sid, sid, - SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); + return cred_self_has_perm(current_cred(), SECCLASS_IO_URING, + IO_URING__SQPOLL, NULL); } /** @@ -7467,10 +7443,8 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) */ static int selinux_uring_allowed(void) { - u32 sid = current_sid(); - - return avc_has_perm(current_selinux_state, sid, sid, - SECCLASS_IO_URING, IO_URING__ALLOWED, NULL); + return cred_self_has_perm(current_cred(), SECCLASS_IO_URING, + IO_URING__ALLOWED, NULL); } #endif /* CONFIG_IO_URING */ diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index d00c9ecf5d91..25a4c438001e 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -154,6 +154,12 @@ int cred_has_extended_perms(const struct cred *cred, u32 tsid, u16 tclass, u32 requested, u8 driver, u8 base_perm, u8 xperm, struct common_audit_data *ad); +int cred_self_has_perm(const struct cred *cred, u16 tclass, u32 requested, + struct common_audit_data *ad); + +int cred_self_has_perm_noaudit(const struct cred *cred, u16 tclass, + u32 requested); + u32 avc_policy_seqno(struct selinux_state *state); #define AVC_CALLBACK_GRANT 1 -- 2.49.0
Powered by blists - more mailing lists