Re: [PATCH v2] selinux: match extended permissions to their base permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Dec 19, 2024 "=?UTF-8?q?Thi=C3=A9baud=20Weksteen?=" <tweek@xxxxxxxxxx> wrote:
> 
> In commit d1d991efaf34 ("selinux: Add netlink xperm support") a new
> extended permission was added ("nlmsg"). This was the second extended
> permission implemented in selinux ("ioctl" being the first one).
> 
> Extended permissions are associated with a base permission. It was found
> that, in the access vector cache (avc), the extended permission did not
> keep track of its base permission. This is an issue for a domain that is
> using both extended permissions (i.e., a domain calling ioctl() on a
> netlink socket). In this case, the extended permissions were
> overlapping.
> 
> Keep track of the base permission in the cache. A new field "base_perm"
> is added to struct extended_perms_decision to make sure that the
> extended permission refers to the correct policy permission. A new field
> "base_perms" is added to struct extended_perms to quickly decide if
> extended permissions apply.
> 
> While it is in theory possible to retrieve the base permission from the
> access vector, the same base permission may not be mapped to the same
> bit for each class (e.g., "nlmsg" is mapped to a different bit for
> "netlink_route_socket" and "netlink_audit_socket"). Instead, use a
> constant (AVC_EXT_IOCTL or AVC_EXT_NLMSG) provided by the caller.
> 
> Fixes: d1d991efaf34 ("selinux: Add netlink xperm support")
> Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx>
> ---
> v2:
> Based on Paul's feedback:
>  - Move base_perms to the second field in struct extended_perms.
>  - In context_struct_compute_av, memset the whole structure (instead of
>    each field individually).
>  - In services_compute_xperms_decision, merge the "if" blocks.
> 
>  security/selinux/avc.c              | 61 ++++++++++++++++-------------
>  security/selinux/hooks.c            |  6 +--
>  security/selinux/include/avc.h      |  5 ++-
>  security/selinux/include/security.h |  3 ++
>  security/selinux/ss/services.c      | 28 +++++++++----
>  5 files changed, 65 insertions(+), 38 deletions(-)

Merged into selinux/stable-6.13, thanks!

--
paul-moore.com
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux