| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-43-stephen.smalley.work@gmail.com>
Date: Tue, 10 Jun 2025 13:22:13 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: selinux@...r.kernel.org
Cc: paul@...l-moore.com,
omosnace@...hat.com,
netdev@...r.kernel.org,
Stephen Smalley <stephen.smalley.work@...il.com>
Subject: [PATCH v4 42/42] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces
Disallow writes to /sys/fs/selinux/user in non-init SELinux namespaces.
Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com>
---
security/selinux/selinuxfs.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index c7825db4e06f..7450ab7c92d0 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1371,10 +1371,20 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
int rc;
u32 i, len, nsids;
- pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!"
- " This will not be supported in the future; please update your"
- " userspace.\n", current->comm, current->pid);
- ssleep(5);
+ if (state == init_selinux_state) {
+ pr_warn_ratelimited("SELinux: %s (%d) wrote to"
+ " /sys/fs/selinux/user! This will not be"
+ " supported in the future; please update your"
+ " userspace.\n", current->comm, current->pid);
+ ssleep(5);
+ } else {
+ pr_warn_ratelimited("SELinux: %s (%d) tried to write to"
+ " /sys/fs/selinux/user! This is not supported"
+ " in non-init SELinux namespaces; please"
+ " update your userspace.\n", current->comm,
+ current->pid);
+ return -EPERM;
+ }
/*
* Only check against the current namespace because
--
2.49.0
Powered by blists - more mailing lists