tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'selinux-pr-20260501' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux fixes from Paul Moore:

- Ensure SELinux is always properly accessing its own sock LSM state

- Only reserve an xattr slot for SELinux if it will be used

- Fix a SELinux auditing regression in the directory avdcache

* tag 'selinux-pr-20260501' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: fix avdcache auditing
selinux: don't reserve xattr slot when we won't fill it
selinux: use sk blob accessor in socket permission helpers

Linus Torvalds ef5f46b6 ee9dce44

+18 -24
+17 -21
security/selinux/hooks.c
··· 2966 2966 { 2967 2967 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 2968 2968 struct superblock_security_struct *sbsec; 2969 - struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 2969 + struct xattr *xattr; 2970 2970 u32 newsid, clen; 2971 2971 u16 newsclass; 2972 2972 int rc; ··· 2992 2992 !(sbsec->flags & SBLABEL_MNT)) 2993 2993 return -EOPNOTSUPP; 2994 2994 2995 + xattr = lsm_get_xattr_slot(xattrs, xattr_count); 2995 2996 if (xattr) { 2996 2997 rc = security_sid_to_context_force(newsid, 2997 2998 &context, &clen); ··· 3209 3208 * @tsec: the task's security state 3210 3209 * @isec: the inode associated with the cache entry 3211 3210 * @avd: the AVD to cache 3212 - * @audited: the permission audit bitmask to cache 3213 3211 * 3214 - * Update the AVD cache in @tsec with the @avdc and @audited info associated 3212 + * Update the AVD cache in @tsec with the @avd info associated 3215 3213 * with @isec. 3216 3214 */ 3217 3215 static inline void task_avdcache_update(struct task_security_struct *tsec, 3218 3216 struct inode_security_struct *isec, 3219 - struct av_decision *avd, 3220 - u32 audited) 3217 + struct av_decision *avd) 3221 3218 { 3222 3219 int spot; 3223 3220 ··· 3227 3228 spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1); 3228 3229 tsec->avdcache.dir_spot = spot; 3229 3230 tsec->avdcache.dir[spot].isid = isec->sid; 3230 - tsec->avdcache.dir[spot].audited = audited; 3231 - tsec->avdcache.dir[spot].allowed = avd->allowed; 3232 - tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE; 3231 + tsec->avdcache.dir[spot].avd = *avd; 3233 3232 tsec->avdcache.permissive_neveraudit = 3234 3233 (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT)); 3235 3234 } ··· 3248 3251 struct task_security_struct *tsec; 3249 3252 struct inode_security_struct *isec; 3250 3253 struct avdc_entry *avdc; 3254 + struct av_decision avd, *avdp = &avd; 3251 3255 int rc, rc2; 3252 3256 u32 audited, denied; 3253 3257 ··· 3270 3272 rc = task_avdcache_search(tsec, isec, &avdc); 3271 3273 if (likely(!rc)) { 3272 3274 /* Cache hit. */ 3273 - audited = perms & avdc->audited; 3274 - denied = perms & ~avdc->allowed; 3275 - if (unlikely(denied && enforcing_enabled() && 3276 - !avdc->permissive)) 3275 + avdp = &avdc->avd; 3276 + denied = perms & ~avdp->allowed; 3277 + if (unlikely(denied) && enforcing_enabled() && 3278 + !(avdp->flags & AVD_FLAGS_PERMISSIVE)) 3277 3279 rc = -EACCES; 3278 3280 } else { 3279 - struct av_decision avd; 3280 - 3281 3281 /* Cache miss. */ 3282 3282 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, 3283 - perms, 0, &avd); 3284 - audited = avc_audit_required(perms, &avd, rc, 3285 - (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0, 3286 - &denied); 3287 - task_avdcache_update(tsec, isec, &avd, audited); 3283 + perms, 0, avdp); 3284 + task_avdcache_update(tsec, isec, avdp); 3288 3285 } 3289 3286 3287 + audited = avc_audit_required(perms, avdp, rc, 3288 + (requested & MAY_ACCESS) ? 3289 + FILE__AUDIT_ACCESS : 0, &denied); 3290 3290 if (likely(!audited)) 3291 3291 return rc; 3292 3292 ··· 4916 4920 4917 4921 static int sock_has_perm(struct sock *sk, u32 perms) 4918 4922 { 4919 - struct sk_security_struct *sksec = sk->sk_security; 4923 + struct sk_security_struct *sksec = selinux_sock(sk); 4920 4924 struct common_audit_data ad; 4921 4925 struct lsm_network_audit net; 4922 4926 ··· 6223 6227 6224 6228 static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) 6225 6229 { 6226 - struct sk_security_struct *sksec = sk->sk_security; 6230 + struct sk_security_struct *sksec = selinux_sock(sk); 6227 6231 struct common_audit_data ad; 6228 6232 u8 driver; 6229 6233 u8 xperm;
+1 -3
security/selinux/include/objsec.h
··· 32 32 33 33 struct avdc_entry { 34 34 u32 isid; /* inode SID */ 35 - u32 allowed; /* allowed permission bitmask */ 36 - u32 audited; /* audited permission bitmask */ 37 - bool permissive; /* AVC permissive flag */ 35 + struct av_decision avd; /* av decision */ 38 36 }; 39 37 40 38 struct cred_security_struct {