Convert selinux_file_send_sigiotask() to use the cred_task_has_perm() namespace-aware permission checking helper. This required saving the file owner cred in the file security blob for later use in this hook function. Since the cred already includes the cred/task security blob which has the task SID and the SELinux state/namespace, we can drop those separate fields from the file_security_struct at the same time. Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> --- security/selinux/hooks.c | 15 ++++++--------- security/selinux/include/objsec.h | 3 +-- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e34ba9a9f2a0..5a0355229ad3 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3703,8 +3703,7 @@ static int selinux_file_alloc_security(struct file *file) u32 sid = current_sid(); fsec->sid = sid; - fsec->fown_sid = sid; - fsec->state = get_selinux_state(current_selinux_state); + fsec->cred = get_cred(current_cred()); return 0; } @@ -3713,8 +3712,7 @@ static void selinux_file_free_security(struct file *file) { struct file_security_struct *fsec = selinux_file(file); - put_selinux_state(fsec->state); - fsec->state = NULL; + put_cred(fsec->cred); } /* @@ -3996,14 +3994,14 @@ static void selinux_file_set_fowner(struct file *file) struct file_security_struct *fsec; fsec = selinux_file(file); - fsec->fown_sid = current_sid(); + put_cred(fsec->cred); + fsec->cred = get_cred(current_cred()); } static int selinux_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown, int signum) { struct file *file; - u32 sid = task_sid_obj(tsk); u32 perm; struct file_security_struct *fsec; @@ -4017,9 +4015,8 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, else perm = signal_to_av(signum); - return avc_has_perm(fsec->state, - fsec->fown_sid, sid, - SECCLASS_PROCESS, perm, NULL); + return cred_task_has_perm(fsec->cred, tsk, SECCLASS_PROCESS, perm, + NULL); } static int selinux_file_receive(struct file *file) diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 6560cb13fc34..7c452047664c 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -48,10 +48,9 @@ struct inode_security_struct { struct file_security_struct { u32 sid; /* SID of open file description */ - u32 fown_sid; /* SID of file owner (for SIGIO) */ u32 isid; /* SID of inode at the time of file open */ u32 pseqno; /* Policy seqno at the time of file open */ - struct selinux_state *state; /* SELinux state */ + const struct cred *cred; /* cred for file owner (for SIGIO) */ }; struct superblock_security_struct { -- 2.47.1