Introduce a cred_self_has_perm() function for checking permissions
between a cred and itself against the current SELinux namespace
and all ancestors. Also provide a cred_self_has_perm_noaudit() variant
for use where auditing is not desired.
Update existing permission checks in the hook functions to use this
new helper.
Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
---
security/selinux/avc.c | 47 +++++++++++++++++++
security/selinux/hooks.c | 86 ++++++++++++----------------------
security/selinux/include/avc.h | 6 +++
3 files changed, 84 insertions(+), 55 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 93a7eaa42cdd..8f6a8992170a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -1302,6 +1302,53 @@ int cred_has_extended_perms(const struct cred *cred, u32 tsid, u16 tclass,
return 0;
}
+int cred_self_has_perm(const struct cred *cred, u16 tclass, u32 requested,
+ struct common_audit_data *ad)
+{
+ struct task_security_struct *tsec;
+ struct selinux_state *state;
+ u32 ssid;
+ int rc;
+
+ do {
+ tsec = selinux_cred(cred);
+ ssid = tsec->sid;
+ state = tsec->state;
+ rc = avc_has_perm(state, ssid, ssid, tclass, requested, ad);
+ if (rc)
+ return rc;
+
+ cred = tsec->parent_cred;
+ } while (cred);
+
+ return 0;
+}
+
+int cred_self_has_perm_noaudit(const struct cred *cred, u16 tclass,
+ u32 requested)
+{
+ struct task_security_struct *tsec;
+ struct selinux_state *state;
+ u32 ssid;
+ struct av_decision avd;
+ int rc;
+
+ do {
+ tsec = selinux_cred(cred);
+ ssid = tsec->sid;
+ state = tsec->state;
+
+ rc = avc_has_perm_noaudit(state, ssid, ssid, tclass,
+ requested, 0, &avd);
+ if (rc)
+ return rc;
+
+ cred = tsec->parent_cred;
+ } while (cred);
+
+ return 0;
+}
+
u32 avc_policy_seqno(struct selinux_state *state)
{
return state->avc->avc_cache.latest_notif;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7608774ac283..f0fb515ca56e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1654,9 +1654,7 @@ static int cred_has_capability(const struct cred *cred,
int cap, unsigned int opts, bool initns)
{
struct common_audit_data ad;
- struct av_decision avd;
u16 sclass;
- u32 sid = cred_sid(cred);
u32 av = CAP_TO_MASK(cap);
int rc;
@@ -1676,14 +1674,11 @@ static int cred_has_capability(const struct cred *cred,
return -EINVAL;
}
- rc = avc_has_perm_noaudit(cred_selinux_state(cred),
- sid, sid, sclass, av, 0, &avd);
- if (!(opts & CAP_OPT_NOAUDIT)) {
- int rc2 = avc_audit(cred_selinux_state(cred),
- sid, sid, sclass, av, &avd, rc, &ad);
- if (rc2)
- return rc2;
- }
+ if (opts & CAP_OPT_NOAUDIT)
+ rc = cred_self_has_perm_noaudit(cred, sclass, av);
+ else
+ rc = cred_self_has_perm(cred, sclass, av, &ad);
+
return rc;
}
@@ -3853,7 +3848,6 @@ static int default_noexec __ro_after_init;
static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
{
const struct cred *cred = current_cred();
- u32 sid = cred_sid(cred);
int rc = 0;
if (default_noexec &&
@@ -3864,9 +3858,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
* private file mapping that will also be writable.
* This has an additional check.
*/
- rc = avc_has_perm(cred_selinux_state(cred),
- sid, sid, SECCLASS_PROCESS,
- PROCESS__EXECMEM, NULL);
+ rc = cred_self_has_perm(cred, SECCLASS_PROCESS,
+ PROCESS__EXECMEM, NULL);
if (rc)
goto error;
}
@@ -3894,10 +3887,8 @@ static int selinux_mmap_addr(unsigned long addr)
int rc = 0;
if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
- u32 sid = current_sid();
- rc = avc_has_perm(current_selinux_state,
- sid, sid, SECCLASS_MEMPROTECT,
- MEMPROTECT__MMAP_ZERO, NULL);
+ rc = cred_self_has_perm(current_cred(), SECCLASS_MEMPROTECT,
+ MEMPROTECT__MMAP_ZERO, NULL);
}
return rc;
@@ -3928,7 +3919,6 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
unsigned long prot)
{
const struct cred *cred = current_cred();
- u32 sid = cred_sid(cred);
if (default_noexec &&
(prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
@@ -3944,14 +3934,12 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
*/
if (vma->vm_start >= vma->vm_mm->start_brk &&
vma->vm_end <= vma->vm_mm->brk) {
- rc = avc_has_perm(cred_selinux_state(cred), sid, sid,
- SECCLASS_PROCESS, PROCESS__EXECHEAP,
- NULL);
+ rc = cred_self_has_perm(cred, SECCLASS_PROCESS,
+ PROCESS__EXECHEAP, NULL);
} else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
vma_is_stack_for_current(vma))) {
- rc = avc_has_perm(cred_selinux_state(cred), sid, sid,
- SECCLASS_PROCESS, PROCESS__EXECSTACK,
- NULL);
+ rc = cred_self_has_perm(cred, SECCLASS_PROCESS,
+ PROCESS__EXECSTACK, NULL);
} else if (vma->vm_file && vma->anon_vma) {
/*
* We are making executable a file mapping that has
@@ -4086,10 +4074,8 @@ static int selinux_file_open(struct file *file)
static int selinux_task_alloc(struct task_struct *task,
unsigned long clone_flags)
{
- u32 sid = current_sid();
-
- return avc_has_perm(current_selinux_state,
- sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__FORK, NULL);
}
/*
@@ -4212,9 +4198,8 @@ static int selinux_kernel_module_from_file(struct file *file)
/* init_module */
if (file == NULL)
- return avc_has_perm(current_selinux_state,
- sid, sid, SECCLASS_SYSTEM,
- SYSTEM__MODULE_LOAD, NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_SYSTEM,
+ SYSTEM__MODULE_LOAD, NULL);
/* finit_module */
@@ -4394,10 +4379,8 @@ static void selinux_task_to_inode(struct task_struct *p,
static int selinux_userns_create(const struct cred *cred)
{
- u32 sid = current_sid();
-
- return avc_has_perm(current_selinux_state, sid, sid, SECCLASS_USER_NAMESPACE,
- USER_NAMESPACE__CREATE, NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_USER_NAMESPACE,
+ USER_NAMESPACE__CREATE, NULL);
}
/* Returns error only if unable to parse addresses */
@@ -6608,29 +6591,24 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
*/
switch (attr) {
case LSM_ATTR_EXEC:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETEXEC, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETEXEC, NULL);
break;
case LSM_ATTR_FSCREATE:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETFSCREATE, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETFSCREATE, NULL);
break;
case LSM_ATTR_KEYCREATE:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETKEYCREATE, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETKEYCREATE, NULL);
break;
case LSM_ATTR_SOCKCREATE:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETSOCKCREATE, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETSOCKCREATE, NULL);
break;
case LSM_ATTR_CURRENT:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETCURRENT, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETCURRENT, NULL);
break;
default:
error = -EOPNOTSUPP;
@@ -7277,10 +7255,8 @@ static int selinux_uring_override_creds(const struct cred *new)
*/
static int selinux_uring_sqpoll(void)
{
- u32 sid = current_sid();
-
- return avc_has_perm(current_selinux_state, sid, sid,
- SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_IO_URING,
+ IO_URING__SQPOLL, NULL);
}
/**
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 199d83d354fb..dd2db5d7f433 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -152,6 +152,12 @@ int cred_has_extended_perms(const struct cred *cred, u32 tsid, u16 tclass,
u32 requested, u8 driver, u8 xperm,
struct common_audit_data *ad);
+int cred_self_has_perm(const struct cred *cred, u16 tclass, u32 requested,
+ struct common_audit_data *ad);
+
+int cred_self_has_perm_noaudit(const struct cred *cred, u16 tclass,
+ u32 requested);
+
u32 avc_policy_seqno(struct selinux_state *state);
#define AVC_CALLBACK_GRANT 1
--
2.47.1
