On Tue, Dec 3, 2024 at 5:27 PM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote:
>
> When evaluating extended permissions, ignore unknown permissions instead
> of calling BUG(). This commit ensures that future permissions can be
> added without interfering with older kernels.
>
> Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx>
> ---
> security/selinux/ss/services.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 971c45d576ba..2fa8aebcb2e5 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -979,7 +979,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
> return;
> break;
> default:
> - BUG();
> + // An unknown extended permission has been found. Ignore it.
> + return;
There is also a BUG() call lower in the function when it generates the
extended data, do you want to update/remove that as well?
It also seems like we should have a pr_warn_once() or
pr_warn_ratelimited() message here to alert the admin of a mismatch
between the policy and the kernel.
> }
>
> if (node->key.specified == AVTAB_XPERMS_ALLOWED) {
> --
--
paul-moore.com
