Convert additional permission checks in the hook functions to
use the namespace-aware cred_ssid_has_perm() helper function.
In particular, the following hook functions are updated:
selinux_socket_bind()
selinux_socket_connect_helper()
selinux_socket_unix_stream_connect()
selinux_socket_unix_may_send()
selinux_msg_queue_msgrcv()
In each of these cases, the check is between two object SIDs
and does not use the current cred SID.
selinux_msg_queue_msgrcv() may bear revisiting since the
source SID is the SID of the receiving task (not current).
An alternative would be to use the receiving task's cred
and the cred_tsid_has_perm() helper for these checks.
Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
---
security/selinux/hooks.c | 44 ++++++++++++++++++++--------------------
1 file changed, 22 insertions(+), 22 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1619d5c2c187..9e09bfff8392 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4778,6 +4778,7 @@ static int selinux_socket_socketpair(struct socket *socka,
static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
{
+ const struct cred *cred = current_cred();
struct sock *sk = sock->sk;
struct sk_security_struct *sksec = selinux_sock(sk);
u16 family;
@@ -4859,10 +4860,10 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
snum, &sid);
if (err)
goto out;
- err = avc_has_perm(current_selinux_state,
- sksec->sid, sid,
- sksec->sclass,
- SOCKET__NAME_BIND, &ad);
+ err = cred_ssid_has_perm(cred, sksec->sid,
+ sid, sksec->sclass,
+ SOCKET__NAME_BIND,
+ &ad);
if (err)
goto out;
}
@@ -4900,9 +4901,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
else
ad.u.net->v6info.saddr = addr6->sin6_addr;
- err = avc_has_perm(current_selinux_state,
- sksec->sid, sid,
- sksec->sclass, node_perm, &ad);
+ err = cred_ssid_has_perm(cred, sksec->sid, sid,
+ sksec->sclass, node_perm, &ad);
if (err)
goto out;
}
@@ -4921,6 +4921,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
static int selinux_socket_connect_helper(struct socket *sock,
struct sockaddr *address, int addrlen)
{
+ const struct cred *cred = current_cred();
struct sock *sk = sock->sk;
struct sk_security_struct *sksec = selinux_sock(sk);
int err;
@@ -4999,8 +5000,8 @@ static int selinux_socket_connect_helper(struct socket *sock,
ad.u.net = &net;
ad.u.net->dport = htons(snum);
ad.u.net->family = address->sa_family;
- err = avc_has_perm(current_selinux_state,
- sksec->sid, sid, sksec->sclass, perm, &ad);
+ err = cred_ssid_has_perm(cred, sksec->sid, sid,
+ sksec->sclass, perm, &ad);
if (err)
return err;
}
@@ -5101,6 +5102,7 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
struct sock *other,
struct sock *newsk)
{
+ const struct cred *cred = current_cred();
struct sk_security_struct *sksec_sock = selinux_sock(sock);
struct sk_security_struct *sksec_other = selinux_sock(other);
struct sk_security_struct *sksec_new = selinux_sock(newsk);
@@ -5110,10 +5112,9 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
ad_net_init_from_sk(&ad, &net, other);
- err = avc_has_perm(current_selinux_state,
- sksec_sock->sid, sksec_other->sid,
- sksec_other->sclass,
- UNIX_STREAM_SOCKET__CONNECTTO, &ad);
+ err = cred_ssid_has_perm(cred, sksec_sock->sid, sksec_other->sid,
+ sksec_other->sclass,
+ UNIX_STREAM_SOCKET__CONNECTTO, &ad);
if (err)
return err;
@@ -5133,6 +5134,7 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
static int selinux_socket_unix_may_send(struct socket *sock,
struct socket *other)
{
+ const struct cred *cred = current_cred();
struct sk_security_struct *ssec = selinux_sock(sock->sk);
struct sk_security_struct *osec = selinux_sock(other->sk);
struct common_audit_data ad;
@@ -5140,9 +5142,8 @@ static int selinux_socket_unix_may_send(struct socket *sock,
ad_net_init_from_sk(&ad, &net, other->sk);
- return avc_has_perm(current_selinux_state,
- ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
- &ad);
+ return cred_ssid_has_perm(cred, ssec->sid, osec->sid, osec->sclass,
+ SOCKET__SENDTO, &ad);
}
static int selinux_inet_sys_rcv_skb(struct selinux_state *state,
@@ -6256,6 +6257,7 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m
struct task_struct *target,
long type, int mode)
{
+ const struct cred *cred = current_cred();
struct ipc_security_struct *isec;
struct msg_security_struct *msec;
struct common_audit_data ad;
@@ -6268,13 +6270,11 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->key;
- rc = avc_has_perm(current_selinux_state,
- sid, isec->sid,
- SECCLASS_MSGQ, MSGQ__READ, &ad);
+ rc = cred_ssid_has_perm(cred, sid, isec->sid, SECCLASS_MSGQ,
+ MSGQ__READ, &ad);
if (!rc)
- rc = avc_has_perm(current_selinux_state,
- sid, msec->sid,
- SECCLASS_MSG, MSG__RECEIVE, &ad);
+ rc = cred_ssid_has_perm(cred, sid, msec->sid,
+ SECCLASS_MSG, MSG__RECEIVE, &ad);
return rc;
}
--
2.47.1
