On Feb 6, 2025 Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> Commit 2039bda1fa8d ("LSM: Add "contents" flag to kernel_read_file hook")
> added a new flag to the security_kernel_read_file() LSM hook, "contents",
> which was set if a file was being read in its entirety or if it was the
> first chunk read in a multi-step process. The SELinux LSM callback was
> updated to only check against the file label if this "contents" flag was
> set, meaning that in multi-step reads the file label was not considered
> in the access control decision after the initial chunk.
>
> Thankfully the only in-tree user that performs a multi-step read is the
> "bcm-vk" driver and it is loading firmware, not a kernel module, so there
> are no security regressions to worry about. However, we still want to
> ensure that the SELinux code does the right thing, and *always* checks
> the file label, especially as there is a chance the file could change
> between chunk reads.
>
> Fixes: 2039bda1fa8d ("LSM: Add "contents" flag to kernel_read_file hook")
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
> security/selinux/hooks.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Merged into selinux/dev.
--
paul-moore.com
