tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'selinux-pr-20250323' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:

- Add additional SELinux access controls for kernel file reads/loads

The SELinux kernel file read/load access controls were never updated
beyond the initial kernel module support, this pull request adds
support for firmware, kexec, policies, and x.509 certificates.

- Add support for wildcards in network interface names

There are a number of userspace tools which auto-generate network
interface names using some pattern of <XXXX>-<NN> where <XXXX> is a
fixed string, e.g. "podman", and <NN> is a increasing counter.
Supporting wildcards in the SELinux policy for network interfaces
simplifies the policy associted with these interfaces.

- Fix a potential problem in the kernel read file SELinux code

SELinux should always check the file label in the
security_kernel_read_file() LSM hook, regardless of if the file is
being read in chunks. Unfortunately, the existing code only
considered the file label on the first chunk; this pull request fixes
this problem.

There is more detail in the individual commit, but thankfully the
existing code didn't expose a bug due to multi-stage reads only
taking place in one driver, and that driver loading a file type that
isn't targeted by the SELinux policy.

- Fix the subshell error handling in the example policy loader

Minor fix to SELinux example policy loader in scripts/selinux due to
an undesired interaction with subshells and errexit.

* tag 'selinux-pr-20250323' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: get netif_wildcard policycap from policy instead of cache
selinux: support wildcard network interface names
selinux: Chain up tool resolving errors in install_policy.sh
selinux: add permission checks for loading other kinds of kernel files
selinux: always check the file label in selinux_kernel_read_file()
selinux: fix spelling error

Linus Torvalds 59c017ce 05457026

+79 -25
+6 -9
scripts/selinux/install_policy.sh
··· 6 6 exit 1 7 7 fi 8 8 9 - SF=`which setfiles` 10 - if [ $? -eq 1 ]; then 9 + SF=`which setfiles` || { 11 10 echo "Could not find setfiles" 12 11 echo "Do you have policycoreutils installed?" 13 12 exit 1 14 - fi 13 + } 15 14 16 - CP=`which checkpolicy` 17 - if [ $? -eq 1 ]; then 15 + CP=`which checkpolicy` || { 18 16 echo "Could not find checkpolicy" 19 17 echo "Do you have checkpolicy installed?" 20 18 exit 1 21 - fi 19 + } 22 20 VERS=`$CP -V | awk '{print $1}'` 23 21 24 - ENABLED=`which selinuxenabled` 25 - if [ $? -eq 1 ]; then 22 + ENABLED=`which selinuxenabled` || { 26 23 echo "Could not find selinuxenabled" 27 24 echo "Do you have libselinux-utils installed?" 28 25 exit 1 29 - fi 26 + } 30 27 31 28 if selinuxenabled; then 32 29 echo "SELinux is already enabled"
+1 -1
security/selinux/avc.c
··· 936 936 937 937 spin_lock_irqsave(lock, flag); 938 938 /* 939 - * With preemptable RCU, the outer spinlock does not 939 + * With preemptible RCU, the outer spinlock does not 940 940 * prevent RCU grace periods from ending. 941 941 */ 942 942 rcu_read_lock();
+48 -10
security/selinux/hooks.c
··· 4099 4099 SYSTEM__MODULE_REQUEST, &ad); 4100 4100 } 4101 4101 4102 - static int selinux_kernel_module_from_file(struct file *file) 4102 + static int selinux_kernel_load_from_file(struct file *file, u32 requested) 4103 4103 { 4104 4104 struct common_audit_data ad; 4105 4105 struct inode_security_struct *isec; ··· 4107 4107 u32 sid = current_sid(); 4108 4108 int rc; 4109 4109 4110 - /* init_module */ 4111 4110 if (file == NULL) 4112 - return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 4113 - SYSTEM__MODULE_LOAD, NULL); 4114 - 4115 - /* finit_module */ 4111 + return avc_has_perm(sid, sid, SECCLASS_SYSTEM, requested, NULL); 4116 4112 4117 4113 ad.type = LSM_AUDIT_DATA_FILE; 4118 4114 ad.u.file = file; ··· 4121 4125 } 4122 4126 4123 4127 isec = inode_security(file_inode(file)); 4124 - return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 4125 - SYSTEM__MODULE_LOAD, &ad); 4128 + return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, requested, &ad); 4126 4129 } 4127 4130 4128 4131 static int selinux_kernel_read_file(struct file *file, ··· 4130 4135 { 4131 4136 int rc = 0; 4132 4137 4138 + BUILD_BUG_ON_MSG(READING_MAX_ID > 7, 4139 + "New kernel_read_file_id introduced; update SELinux!"); 4140 + 4133 4141 switch (id) { 4142 + case READING_FIRMWARE: 4143 + rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD); 4144 + break; 4134 4145 case READING_MODULE: 4135 - rc = selinux_kernel_module_from_file(contents ? file : NULL); 4146 + rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD); 4147 + break; 4148 + case READING_KEXEC_IMAGE: 4149 + rc = selinux_kernel_load_from_file(file, 4150 + SYSTEM__KEXEC_IMAGE_LOAD); 4151 + break; 4152 + case READING_KEXEC_INITRAMFS: 4153 + rc = selinux_kernel_load_from_file(file, 4154 + SYSTEM__KEXEC_INITRAMFS_LOAD); 4155 + break; 4156 + case READING_POLICY: 4157 + rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD); 4158 + break; 4159 + case READING_X509_CERTIFICATE: 4160 + rc = selinux_kernel_load_from_file(file, 4161 + SYSTEM__X509_CERTIFICATE_LOAD); 4136 4162 break; 4137 4163 default: 4138 4164 break; ··· 4166 4150 { 4167 4151 int rc = 0; 4168 4152 4153 + BUILD_BUG_ON_MSG(LOADING_MAX_ID > 7, 4154 + "New kernel_load_data_id introduced; update SELinux!"); 4155 + 4169 4156 switch (id) { 4157 + case LOADING_FIRMWARE: 4158 + rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD); 4159 + break; 4170 4160 case LOADING_MODULE: 4171 - rc = selinux_kernel_module_from_file(NULL); 4161 + rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD); 4162 + break; 4163 + case LOADING_KEXEC_IMAGE: 4164 + rc = selinux_kernel_load_from_file(NULL, 4165 + SYSTEM__KEXEC_IMAGE_LOAD); 4166 + break; 4167 + case LOADING_KEXEC_INITRAMFS: 4168 + rc = selinux_kernel_load_from_file(NULL, 4169 + SYSTEM__KEXEC_INITRAMFS_LOAD); 4170 + break; 4171 + case LOADING_POLICY: 4172 + rc = selinux_kernel_load_from_file(NULL, 4173 + SYSTEM__POLICY_LOAD); 4174 + break; 4175 + case LOADING_X509_CERTIFICATE: 4176 + rc = selinux_kernel_load_from_file(NULL, 4177 + SYSTEM__X509_CERTIFICATE_LOAD); 4172 4178 break; 4173 4179 default: 4174 4180 break;
+3 -1
security/selinux/include/classmap.h
··· 63 63 { "process2", { "nnp_transition", "nosuid_transition", NULL } }, 64 64 { "system", 65 65 { "ipc_info", "syslog_read", "syslog_mod", "syslog_console", 66 - "module_request", "module_load", NULL } }, 66 + "module_request", "module_load", "firmware_load", 67 + "kexec_image_load", "kexec_initramfs_load", "policy_load", 68 + "x509_certificate_load", NULL } }, 67 69 { "capability", { COMMON_CAP_PERMS, NULL } }, 68 70 { "filesystem", 69 71 { "mount", "remount", "unmount", "getattr", "relabelfrom",
+1
security/selinux/include/policycap.h
··· 15 15 POLICYDB_CAP_IOCTL_SKIP_CLOEXEC, 16 16 POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, 17 17 POLICYDB_CAP_NETLINK_XPERM, 18 + POLICYDB_CAP_NETIF_WILDCARD, 18 19 __POLICYDB_CAP_MAX 19 20 }; 20 21 #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
+1
security/selinux/include/policycap_names.h
··· 18 18 "ioctl_skip_cloexec", 19 19 "userspace_initial_context", 20 20 "netlink_xperm", 21 + "netif_wildcard", 21 22 }; 22 23 /* clang-format on */ 23 24
+7 -1
security/selinux/include/security.h
··· 202 202 selinux_state.policycap[POLICYDB_CAP_NETLINK_XPERM]); 203 203 } 204 204 205 + static inline bool selinux_policycap_netif_wildcard(void) 206 + { 207 + return READ_ONCE( 208 + selinux_state.policycap[POLICYDB_CAP_NETIF_WILDCARD]); 209 + } 210 + 205 211 struct selinux_policy_convert_data; 206 212 207 213 struct selinux_load_state { ··· 307 301 308 302 int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid); 309 303 310 - int security_netif_sid(char *name, u32 *if_sid); 304 + int security_netif_sid(const char *name, u32 *if_sid); 311 305 312 306 int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid); 313 307
+12 -3
security/selinux/ss/services.c
··· 46 46 #include <linux/in.h> 47 47 #include <linux/sched.h> 48 48 #include <linux/audit.h> 49 + #include <linux/parser.h> 49 50 #include <linux/vmalloc.h> 50 51 #include <linux/lsm_hooks.h> 51 52 #include <net/netlabel.h> ··· 2573 2572 * @name: interface name 2574 2573 * @if_sid: interface SID 2575 2574 */ 2576 - int security_netif_sid(char *name, u32 *if_sid) 2575 + int security_netif_sid(const char *name, u32 *if_sid) 2577 2576 { 2578 2577 struct selinux_policy *policy; 2579 2578 struct policydb *policydb; 2580 2579 struct sidtab *sidtab; 2581 2580 int rc; 2582 2581 struct ocontext *c; 2582 + bool wildcard_support; 2583 2583 2584 2584 if (!selinux_initialized()) { 2585 2585 *if_sid = SECINITSID_NETIF; ··· 2593 2591 policy = rcu_dereference(selinux_state.policy); 2594 2592 policydb = &policy->policydb; 2595 2593 sidtab = policy->sidtab; 2594 + wildcard_support = ebitmap_get_bit(&policydb->policycaps, POLICYDB_CAP_NETIF_WILDCARD); 2596 2595 2597 2596 c = policydb->ocontexts[OCON_NETIF]; 2598 2597 while (c) { 2599 - if (strcmp(name, c->u.name) == 0) 2600 - break; 2598 + if (wildcard_support) { 2599 + if (match_wildcard(c->u.name, name)) 2600 + break; 2601 + } else { 2602 + if (strcmp(c->u.name, name) == 0) 2603 + break; 2604 + } 2605 + 2601 2606 c = c->next; 2602 2607 } 2603 2608