tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

selinux: use sk blob accessor in socket permission helpers

SELinux socket state lives in the composite LSM socket blob.

sock_has_perm() and nlmsg_sock_has_extended_perms() currently
dereference sk->sk_security directly, which assumes the SELinux socket
blob is at offset zero.

In stacked configurations that assumption does not hold. If another LSM
allocates socket blob storage before SELinux, these helpers may read the
wrong blob and feed invalid SID and class values into AVC checks.

Use selinux_sock() instead of accessing sk->sk_security directly.

Fixes: d1d991efaf34 ("selinux: Add netlink xperm support")
Cc: stable@vger.kernel.org # v6.13+
Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Zongyao Chen and committed by
Paul Moore 032e70af 254f4963

+2 -2
+2 -2
security/selinux/hooks.c
··· 4920 4920 4921 4921 static int sock_has_perm(struct sock *sk, u32 perms) 4922 4922 { 4923 - struct sk_security_struct *sksec = sk->sk_security; 4923 + struct sk_security_struct *sksec = selinux_sock(sk); 4924 4924 struct common_audit_data ad; 4925 4925 struct lsm_network_audit net; 4926 4926 ··· 6227 6227 6228 6228 static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) 6229 6229 { 6230 - struct sk_security_struct *sksec = sk->sk_security; 6230 + struct sk_security_struct *sksec = selinux_sock(sk); 6231 6231 struct common_audit_data ad; 6232 6232 u8 driver; 6233 6233 u8 xperm;