From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, omosnace@redhat.com, netdev@vger.kernel.org,
Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH v3 39/42] selinux: split cred_ssid_has_perm() into two cases
Date: Tue, 20 May 2025 07:59:37 -0400 [thread overview]
Message-ID: <20250520120000.25501-41-stephen.smalley.work@gmail.com> (raw)
In-Reply-To: <20250520120000.25501-2-stephen.smalley.work@gmail.com>
Split cred_ssid_has_perm() into two separate functions,
cred_obj_has_perm() to perform the namespace-aware checks
for inter-object checks like associate, and cred_ssid_has_perm()
to perform namespace-aware checks for socket and SysV IPC
checks where the SSID is in fact derived from the creating
task SID. Modify cred_ssid_has_perm() to only use the provided
ssid for the initial check in the current namespace, and to
instead use the task SID from the parent cred for each check
against the ancestor namespaces. This ensures that socket
and SysV IPC is correctly controlled in each namespace based
on the task's SID/context in that namespace.
We still need to determine whether peer labeling is correctly
handled across different namespaces, and if not, to adapt
appropriately.
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
security/selinux/avc.c | 59 ++++++++++++++++++++++++++++++++--
security/selinux/hooks.c | 16 ++++-----
security/selinux/include/avc.h | 3 ++
3 files changed, 67 insertions(+), 11 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 35cd0c9c9d41..9a76266e8305 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -1594,7 +1594,7 @@ int cred_tsid_has_perm_noaudit(const struct cred *cred, u32 tsid, u16 tclass,
}
/**
- * cred_ssid_has_perm - Check and audit permissions on a (ssid, tsid) pair
+ * cred_obj_has_perm - Check and audit permissions on a (ssid, tsid) pair
* @cred: subject credentials
* @ssid: source security identifier
* @tsid: target security identifier
@@ -1611,8 +1611,9 @@ int cred_tsid_has_perm_noaudit(const struct cred *cred, u32 tsid, u16 tclass,
* DO NOT USE when checking permissions involving cred/task SIDs; this
* helper is only for object-to-object checks.
*/
-int cred_ssid_has_perm(const struct cred *cred, u32 ssid, u32 tsid, u16 tclass,
- u32 requested, struct common_audit_data *ad)
+int cred_obj_has_perm(const struct cred *cred, u32 ssid, u32 tsid,
+ u16 tclass, u32 requested,
+ struct common_audit_data *ad)
{
struct task_security_struct *tsec;
struct selinux_state *state;
@@ -1631,6 +1632,58 @@ int cred_ssid_has_perm(const struct cred *cred, u32 ssid, u32 tsid, u16 tclass,
return 0;
}
+/**
+ * cred_ssid_has_perm - Check and audit permissions on a (ssid, tsid) pair
+ * @cred: subject credentials
+ * @ssid: source security identifier
+ * @tsid: target security identifier
+ * @tclass: target security class
+ * @requested: requested permissions, interpreted based on @tclass
+ * @ad: auxiliary audit data
+ *
+ * Check permissions between a source SID @ssid and a target SID @tsid for
+ * @cred's namespace and check between the parent cred's SID and %tsid
+ * for all ancestors to determine whether the @requested permissions are
+ * granted.
+ * Audit the granting or denial of permissions in accordance with the policy.
+ * Return %0 if all @requested permissions are granted, -%EACCES if any
+ * permissions are denied, or another -errno upon other errors.
+ * DO NOT USE when checking permissions involving cred/task SIDs; this
+ * helper is only for socket and IPC checks.
+ */
+int cred_ssid_has_perm(const struct cred *cred, u32 ssid, u32 tsid, u16 tclass,
+ u32 requested, struct common_audit_data *ad)
+{
+ struct task_security_struct *tsec;
+ struct selinux_state *state;
+ int rc;
+
+ /* Check using the provided ssid in the current namespace. */
+ tsec = selinux_cred(cred);
+ state = tsec->state;
+ rc = avc_has_perm(state, ssid, tsid, tclass, requested, ad);
+ if (rc)
+ return rc;
+
+ cred = tsec->parent_cred;
+ while (cred) {
+ /*
+ * In all ancestor namespaces, use the task SID from
+ * the corresponding credential as the subject SID.
+ */
+ tsec = selinux_cred(cred);
+ state = tsec->state;
+ ssid = tsec->sid;
+ rc = avc_has_perm(state, ssid, tsid, tclass, requested, ad);
+ if (rc)
+ return rc;
+
+ cred = tsec->parent_cred;
+ }
+
+ return 0;
+}
+
static u32 cred_sid_for_state(const struct cred *cred,
const struct selinux_state *state)
{
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 850533412896..deba2b4d81c9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -470,8 +470,8 @@ static int may_context_mount_inode_relabel(u32 sid,
if (rc)
return rc;
- return cred_ssid_has_perm(cred, sid, sbsec->sid, SECCLASS_FILESYSTEM,
- FILESYSTEM__ASSOCIATE, NULL);
+ return cred_obj_has_perm(cred, sid, sbsec->sid, SECCLASS_FILESYSTEM,
+ FILESYSTEM__ASSOCIATE, NULL);
}
static int selinux_is_genfs_special_handling(struct super_block *sb)
@@ -1851,9 +1851,9 @@ static int may_create(struct inode *dir,
if (rc)
return rc;
- return cred_ssid_has_perm(cred, newsid, sbsec->sid,
- SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE,
- &ad);
+ return cred_obj_has_perm(cred, newsid, sbsec->sid,
+ SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE,
+ &ad);
}
#define MAY_LINK 0
@@ -3476,9 +3476,9 @@ static int selinux_inode_setxattr(struct mnt_idmap *idmap,
if (rc)
return rc;
- return cred_ssid_has_perm(cred, newsid, sbsec->sid,
- SECCLASS_FILESYSTEM,
- FILESYSTEM__ASSOCIATE, &ad);
+ return cred_obj_has_perm(cred, newsid, sbsec->sid,
+ SECCLASS_FILESYSTEM,
+ FILESYSTEM__ASSOCIATE, &ad);
}
static int selinux_inode_set_acl(struct mnt_idmap *idmap,
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index ffb8946dfeda..8ce75a5ffaa1 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -165,6 +165,9 @@ int cred_tsid_has_perm(const struct cred *cred, u32 tsid, u16 tclass,
int cred_tsid_has_perm_noaudit(const struct cred *cred, u32 tsid, u16 tclass,
u32 requested, struct av_decision *avd);
+int cred_obj_has_perm(const struct cred *cred, u32 ssid, u32 tsid, u16 tclass,
+ u32 requested, struct common_audit_data *ad);
+
int cred_ssid_has_perm(const struct cred *cred, u32 ssid, u32 tsid, u16 tclass,
u32 requested, struct common_audit_data *ad);
--
2.49.0
next prev parent reply other threads:[~2025-05-20 12:01 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-20 11:58 [PATCH v3 00/42] SELinux namespace support Stephen Smalley
2025-05-20 11:58 ` [PATCH v3 01/42] selinux: restore passing of selinux_state Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 02/42] selinux: introduce current_selinux_state Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 03/42] selinux: support multiple selinuxfs instances Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 04/42] selinux: dynamically allocate selinux namespace Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 05/42] netstate,selinux: create the selinux netlink socket per network namespace Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 06/42] selinux: limit selinux netlink notifications to init namespace Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 07/42] selinux: support per-task/cred selinux namespace Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 08/42] selinux: introduce cred_selinux_state() and use it Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 09/42] selinux: add a selinuxfs interface to unshare selinux namespace Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 10/42] selinux: add limits for SELinux namespaces Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 11/42] selinux: exempt creation of init SELinux namespace from limits Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 12/42] selinux: refactor selinux_state_create() Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 13/42] selinux: allow userspace to detect non-init SELinux namespace Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 14/42] selinuxfs: restrict write operations to the same selinux namespace Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 15/42] selinux: introduce a global SID table Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 16/42] selinux: wrap security server interfaces to use the " Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 17/42] selinux: introduce a Kconfig option for SELinux namespaces Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 18/42] selinux: eliminate global SID table if !CONFIG_SECURITY_SELINUX_NS Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 19/42] selinux: maintain a small cache in the global SID table Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 20/42] selinux: update hook functions to use correct selinux namespace Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 21/42] selinux: introduce cred_task_has_perm() Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 22/42] selinux: introduce cred_has_extended_perms() Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 23/42] selinux: introduce cred_self_has_perm() Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 24/42] selinux: introduce cred_has_perm() Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 25/42] selinux: introduce cred_ssid_has_perm() and cred_other_has_perm() Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 26/42] selinux: introduce task_obj_perm() Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 27/42] selinux: update bprm hooks for selinux namespaces Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 28/42] selinux: add kerneldoc to new permission checking functions Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 29/42] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 30/42] selinux: rename cred_has_perm*() to cred_tsid_has_perm*() Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 31/42] selinux: update cred_tsid_has_perm_noaudit() to return the combined avd Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 32/42] selinux: convert additional checks to cred_ssid_has_perm() Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 33/42] selinux: introduce selinux_state_has_perm() Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 34/42] selinux: annotate selinuxfs permission checks Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 35/42] selinux: annotate process transition " Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 36/42] selinux: convert xfrm and netlabel " Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 37/42] selinux: switch selinux_lsm_setattr() checks to current namespace Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 38/42] selinux: make open_perms namespace-aware Stephen Smalley
2025-05-20 11:59 ` Stephen Smalley [this message]
2025-05-20 11:59 ` [PATCH v3 40/42] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 41/42] selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware Stephen Smalley
2025-05-20 11:59 ` [PATCH v3 42/42] selinux: init inode from nearest initialized namespace Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250520120000.25501-41-stephen.smalley.work@gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).