lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-43-stephen.smalley.work@gmail.com> Date: Tue, 10 Jun 2025 13:22:13 -0400 From: Stephen Smalley <stephen.smalley.work@...il.com> To: selinux@...r.kernel.org Cc: paul@...l-moore.com, omosnace@...hat.com, netdev@...r.kernel.org, Stephen Smalley <stephen.smalley.work@...il.com> Subject: [PATCH v4 42/42] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces Disallow writes to /sys/fs/selinux/user in non-init SELinux namespaces. Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com> --- security/selinux/selinuxfs.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index c7825db4e06f..7450ab7c92d0 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -1371,10 +1371,20 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size) int rc; u32 i, len, nsids; - pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!" - " This will not be supported in the future; please update your" - " userspace.\n", current->comm, current->pid); - ssleep(5); + if (state == init_selinux_state) { + pr_warn_ratelimited("SELinux: %s (%d) wrote to" + " /sys/fs/selinux/user! This will not be" + " supported in the future; please update your" + " userspace.\n", current->comm, current->pid); + ssleep(5); + } else { + pr_warn_ratelimited("SELinux: %s (%d) tried to write to" + " /sys/fs/selinux/user! This is not supported" + " in non-init SELinux namespaces; please" + " update your userspace.\n", current->comm, + current->pid); + return -EPERM; + } /* * Only check against the current namespace because -- 2.49.0
Powered by blists - more mailing lists