From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, omosnace@redhat.com, netdev@vger.kernel.org,
horms@kernel.org,
Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH v6 37/42] selinux: convert xfrm and netlabel permission checks
Date: Fri, 20 Jun 2025 13:44:49 -0400 [thread overview]
Message-ID: <20250620174502.1838-38-stephen.smalley.work@gmail.com> (raw)
In-Reply-To: <20250620174502.1838-1-stephen.smalley.work@gmail.com>
Convert the xfrm and netlabel permission checks to use the appropriate
namespace-aware helper for each check. When in process context, use
cred_tsid_has_perm() to check permission; when not in process context,
use selinux_state_has_perm().
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
security/selinux/netlabel.c | 6 +++---
security/selinux/xfrm.c | 33 ++++++++++++++++++---------------
2 files changed, 21 insertions(+), 18 deletions(-)
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 9c360f2ee7fc..06ce45f628f8 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -137,7 +137,7 @@ void selinux_netlbl_cache_invalidate(void)
* @gateway: true if host is acting as a gateway, false otherwise
*
* Description:
- * When a packet is dropped due to a call to avc_has_perm() pass the error
+ * When a packet is dropped due to a permission denial, pass the error
* code to the NetLabel subsystem so any protocol specific processing can be
* done. This is safe to call even if you are unsure if NetLabel labeling is
* present on the packet, NetLabel is smart enough to only act when it should.
@@ -478,8 +478,8 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
perm = RAWIP_SOCKET__RECVFROM;
}
- rc = avc_has_perm(sksec->state, sksec->sid, nlbl_sid, sksec->sclass,
- perm, ad);
+ rc = selinux_state_has_perm(sksec->state, sksec->sid, nlbl_sid,
+ sksec->sclass, perm, ad);
if (rc == 0)
return 0;
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 855f77630bdb..be91a28ab47b 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -102,9 +102,9 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
if (rc)
goto err;
- rc = avc_has_perm(current_selinux_state,
- current_sid(), ctx->ctx_sid,
- SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
+ rc = cred_tsid_has_perm(current_cred(), ctx->ctx_sid,
+ SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
+ NULL);
if (rc)
goto err;
@@ -137,10 +137,9 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
if (!ctx)
return 0;
- return avc_has_perm(current_selinux_state,
- current_sid(), ctx->ctx_sid,
- SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
- NULL);
+ return cred_tsid_has_perm(current_cred(), ctx->ctx_sid,
+ SECCLASS_ASSOCIATION,
+ ASSOCIATION__SETCONTEXT, NULL);
}
/*
@@ -162,8 +161,9 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)
if (!selinux_authorizable_ctx(ctx))
return -EINVAL;
- rc = avc_has_perm(state, fl_secid, ctx->ctx_sid,
- SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
+ rc = selinux_state_has_perm(state, fl_secid, ctx->ctx_sid,
+ SECCLASS_ASSOCIATION,
+ ASSOCIATION__POLMATCH, NULL);
return (rc == -EACCES ? -ESRCH : rc);
}
@@ -205,8 +205,9 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
/* We don't need a separate SA Vs. policy polmatch check since the SA
* is now of the same label as the flow and a flow Vs. policy polmatch
* check had already happened in selinux_xfrm_policy_lookup() above. */
- return (avc_has_perm(state, flic_sid, state_sid, SECCLASS_ASSOCIATION,
- ASSOCIATION__SENDTO, NULL) ? 0 : 1);
+ return (selinux_state_has_perm(state, flic_sid, state_sid,
+ SECCLASS_ASSOCIATION,
+ ASSOCIATION__SENDTO, NULL) ? 0 : 1);
}
static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb)
@@ -425,8 +426,9 @@ int selinux_xfrm_sock_rcv_skb(struct sk_security_struct *sksec, struct sk_buff *
/* This check even when there's no association involved is intended,
* according to Trent Jaeger, to make sure a process can't engage in
* non-IPsec communication unless explicitly allowed by policy. */
- return avc_has_perm(sksec->state, sk_sid, peer_sid,
- SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
+ return selinux_state_has_perm(sksec->state, sk_sid, peer_sid,
+ SECCLASS_ASSOCIATION,
+ ASSOCIATION__RECVFROM, ad);
}
/*
@@ -469,6 +471,7 @@ int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
/* This check even when there's no association involved is intended,
* according to Trent Jaeger, to make sure a process can't engage in
* non-IPsec communication unless explicitly allowed by policy. */
- return avc_has_perm(state, sk_sid, SECINITSID_UNLABELED,
- SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
+ return selinux_state_has_perm(state, sk_sid, SECINITSID_UNLABELED,
+ SECCLASS_ASSOCIATION,
+ ASSOCIATION__SENDTO, ad);
}
--
2.49.0
next prev parent reply other threads:[~2025-06-20 17:45 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-20 17:44 [PATCH v6 00/42] SELinux namespace support Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 01/42] selinux: restore passing of selinux_state Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 02/42] selinux: introduce current_selinux_state Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 03/42] selinux: support multiple selinuxfs instances Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 04/42] selinux: dynamically allocate selinux namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 05/42] netstate,selinux: create the selinux netlink socket per network namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 06/42] selinux: limit selinux netlink notifications to init namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 07/42] selinux: support per-task/cred selinux namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 08/42] selinux: introduce cred_selinux_state() and use it Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 09/42] selinux: init inode from nearest initialized namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 10/42] selinux: add a selinuxfs interface to unshare selinux namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 11/42] selinux: add limits for SELinux namespaces Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 12/42] selinux: exempt creation of init SELinux namespace from limits Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 13/42] selinux: refactor selinux_state_create() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 14/42] selinux: allow userspace to detect non-init SELinux namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 15/42] selinuxfs: restrict write operations to the same selinux namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 16/42] selinux: introduce a global SID table Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 17/42] selinux: wrap security server interfaces to use the " Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 18/42] selinux: introduce a Kconfig option for SELinux namespaces Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 19/42] selinux: eliminate global SID table if !CONFIG_SECURITY_SELINUX_NS Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 20/42] selinux: maintain a small cache in the global SID table Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 21/42] selinux: update hook functions to use correct selinux namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 22/42] selinux: introduce cred_task_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 23/42] selinux: introduce cred_has_extended_perms() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 24/42] selinux: introduce cred_self_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 25/42] selinux: introduce cred_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 26/42] selinux: introduce cred_ssid_has_perm() and cred_other_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 27/42] selinux: introduce task_obj_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 28/42] selinux: update bprm hooks for selinux namespaces Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 29/42] selinux: add kerneldoc to new permission checking functions Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 30/42] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 31/42] selinux: rename cred_has_perm*() to cred_tsid_has_perm*() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 32/42] selinux: update cred_tsid_has_perm_noaudit() to return the combined avd Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 33/42] selinux: convert additional checks to cred_ssid_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 34/42] selinux: introduce selinux_state_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 35/42] selinux: annotate selinuxfs permission checks Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 36/42] selinux: annotate process transition " Stephen Smalley
2025-06-20 17:44 ` Stephen Smalley [this message]
2025-06-20 17:44 ` [PATCH v6 38/42] selinux: switch selinux_lsm_setattr() checks to current namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 39/42] selinux: make open_perms namespace-aware Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 40/42] selinux: split cred_ssid_has_perm() into two cases Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 41/42] selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 42/42] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250620174502.1838-38-stephen.smalley.work@gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=horms@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).