From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, omosnace@redhat.com, netdev@vger.kernel.org,
horms@kernel.org,
Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH v6 08/42] selinux: introduce cred_selinux_state() and use it
Date: Fri, 20 Jun 2025 13:44:20 -0400 [thread overview]
Message-ID: <20250620174502.1838-9-stephen.smalley.work@gmail.com> (raw)
In-Reply-To: <20250620174502.1838-1-stephen.smalley.work@gmail.com>
When using the SID from a cred, we should pass the selinux
namespace associated with the cred on security server calls
rather than the current selinux namespace, since they could differ.
In some of these cases, the cred is always obtained from the current
task so there is no real change, but this is cleaner and hopefully
less fragile. In other cases, the cred could in fact differ.
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
security/selinux/hooks.c | 44 ++++++++++++++---------------
security/selinux/include/security.h | 2 ++
2 files changed, 24 insertions(+), 22 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 53147dd87ce4..7254418e7e5e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -464,13 +464,13 @@ static int may_context_mount_sb_relabel(u32 sid,
const struct task_security_struct *tsec = selinux_cred(cred);
int rc;
- rc = avc_has_perm(current_selinux_state,
+ rc = avc_has_perm(cred_selinux_state(cred),
tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
if (rc)
return rc;
- rc = avc_has_perm(current_selinux_state,
+ rc = avc_has_perm(cred_selinux_state(cred),
tsec->sid, sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELTO, NULL);
return rc;
@@ -482,13 +482,13 @@ static int may_context_mount_inode_relabel(u32 sid,
{
const struct task_security_struct *tsec = selinux_cred(cred);
int rc;
- rc = avc_has_perm(current_selinux_state,
+ rc = avc_has_perm(cred_selinux_state(cred),
tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
if (rc)
return rc;
- rc = avc_has_perm(current_selinux_state,
+ rc = avc_has_perm(cred_selinux_state(cred),
sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__ASSOCIATE, NULL);
return rc;
@@ -1683,10 +1683,10 @@ static int cred_has_capability(const struct cred *cred,
return -EINVAL;
}
- rc = avc_has_perm_noaudit(current_selinux_state,
+ rc = avc_has_perm_noaudit(cred_selinux_state(cred),
sid, sid, sclass, av, 0, &avd);
if (!(opts & CAP_OPT_NOAUDIT)) {
- int rc2 = avc_audit(current_selinux_state,
+ int rc2 = avc_audit(cred_selinux_state(cred),
sid, sid, sclass, av, &avd, rc, &ad);
if (rc2)
return rc2;
@@ -1711,7 +1711,7 @@ static int inode_has_perm(const struct cred *cred,
sid = cred_sid(cred);
isec = selinux_inode(inode);
- return avc_has_perm(current_selinux_state,
+ return avc_has_perm(cred_selinux_state(cred),
sid, isec->sid, isec->sclass, perms, adp);
}
@@ -1791,7 +1791,7 @@ static int file_has_perm(const struct cred *cred,
ad.u.file = file;
if (sid != fsec->sid) {
- rc = avc_has_perm(current_selinux_state,
+ rc = avc_has_perm(cred_selinux_state(cred),
sid, fsec->sid,
SECCLASS_FD,
FD__USE,
@@ -2006,7 +2006,7 @@ static int superblock_has_perm(const struct cred *cred,
u32 sid = cred_sid(cred);
sbsec = selinux_superblock(sb);
- return avc_has_perm(current_selinux_state,
+ return avc_has_perm(cred_selinux_state(cred),
sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
}
@@ -2188,7 +2188,7 @@ static int selinux_capset(struct cred *new, const struct cred *old,
const kernel_cap_t *inheritable,
const kernel_cap_t *permitted)
{
- return avc_has_perm(current_selinux_state,
+ return avc_has_perm(cred_selinux_state(old),
cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
PROCESS__SETCAP, NULL);
}
@@ -3886,7 +3886,7 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
ad.u.op->path = file->f_path;
if (ssid != fsec->sid) {
- rc = avc_has_perm(current_selinux_state,
+ rc = avc_has_perm(cred_selinux_state(cred),
ssid, fsec->sid,
SECCLASS_FD,
FD__USE,
@@ -3997,7 +3997,7 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
* private file mapping that will also be writable.
* This has an additional check.
*/
- rc = avc_has_perm(current_selinux_state,
+ rc = avc_has_perm(cred_selinux_state(cred),
sid, sid, SECCLASS_PROCESS,
PROCESS__EXECMEM, NULL);
if (rc)
@@ -4077,14 +4077,14 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
*/
if (vma->vm_start >= vma->vm_mm->start_brk &&
vma->vm_end <= vma->vm_mm->brk) {
- rc = avc_has_perm(current_selinux_state,
- sid, sid, SECCLASS_PROCESS,
- PROCESS__EXECHEAP, NULL);
+ rc = avc_has_perm(cred_selinux_state(cred), sid, sid,
+ SECCLASS_PROCESS, PROCESS__EXECHEAP,
+ NULL);
} else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
vma_is_stack_for_current(vma))) {
- rc = avc_has_perm(current_selinux_state,
- sid, sid, SECCLASS_PROCESS,
- PROCESS__EXECSTACK, NULL);
+ rc = avc_has_perm(cred_selinux_state(cred), sid, sid,
+ SECCLASS_PROCESS, PROCESS__EXECSTACK,
+ NULL);
} else if (vma->vm_file && vma->anon_vma) {
/*
* We are making executable a file mapping that has
@@ -4287,7 +4287,7 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
u32 sid = current_sid();
int ret;
- ret = avc_has_perm(current_selinux_state,
+ ret = avc_has_perm(tsec->state,
sid, secid,
SECCLASS_KERNEL_SERVICE,
KERNEL_SERVICE__USE_AS_OVERRIDE,
@@ -4312,7 +4312,7 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
u32 sid = current_sid();
int ret;
- ret = avc_has_perm(current_selinux_state,
+ ret = avc_has_perm(tsec->state,
sid, isec->sid,
SECCLASS_KERNEL_SERVICE,
KERNEL_SERVICE__CREATE_FILES_AS,
@@ -4504,7 +4504,7 @@ static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcre
av |= PROCESS__SETRLIMIT;
if (flags & LSM_PRLIMIT_READ)
av |= PROCESS__GETRLIMIT;
- return avc_has_perm(current_selinux_state,
+ return avc_has_perm(cred_selinux_state(cred),
cred_sid(cred), cred_sid(tcred),
SECCLASS_PROCESS, av, NULL);
}
@@ -7089,7 +7089,7 @@ static int selinux_key_permission(key_ref_t key_ref,
key = key_ref_to_ptr(key_ref);
ksec = selinux_key(key);
- return avc_has_perm(current_selinux_state,
+ return avc_has_perm(cred_selinux_state(cred),
sid, ksec->sid, SECCLASS_KEY, perm, NULL);
}
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index b94cc01f181a..5db362488a3f 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -183,6 +183,8 @@ static inline u32 current_sid(void)
#define current_selinux_state (selinux_cred(current_cred())->state)
+#define cred_selinux_state(cred) (selinux_cred(cred)->state)
+
static inline bool selinux_initialized(const struct selinux_state *state)
{
/* do a synchronized load to avoid race conditions */
--
2.49.0
next prev parent reply other threads:[~2025-06-20 17:45 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-20 17:44 [PATCH v6 00/42] SELinux namespace support Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 01/42] selinux: restore passing of selinux_state Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 02/42] selinux: introduce current_selinux_state Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 03/42] selinux: support multiple selinuxfs instances Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 04/42] selinux: dynamically allocate selinux namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 05/42] netstate,selinux: create the selinux netlink socket per network namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 06/42] selinux: limit selinux netlink notifications to init namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 07/42] selinux: support per-task/cred selinux namespace Stephen Smalley
2025-06-20 17:44 ` Stephen Smalley [this message]
2025-06-20 17:44 ` [PATCH v6 09/42] selinux: init inode from nearest initialized namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 10/42] selinux: add a selinuxfs interface to unshare selinux namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 11/42] selinux: add limits for SELinux namespaces Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 12/42] selinux: exempt creation of init SELinux namespace from limits Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 13/42] selinux: refactor selinux_state_create() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 14/42] selinux: allow userspace to detect non-init SELinux namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 15/42] selinuxfs: restrict write operations to the same selinux namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 16/42] selinux: introduce a global SID table Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 17/42] selinux: wrap security server interfaces to use the " Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 18/42] selinux: introduce a Kconfig option for SELinux namespaces Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 19/42] selinux: eliminate global SID table if !CONFIG_SECURITY_SELINUX_NS Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 20/42] selinux: maintain a small cache in the global SID table Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 21/42] selinux: update hook functions to use correct selinux namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 22/42] selinux: introduce cred_task_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 23/42] selinux: introduce cred_has_extended_perms() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 24/42] selinux: introduce cred_self_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 25/42] selinux: introduce cred_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 26/42] selinux: introduce cred_ssid_has_perm() and cred_other_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 27/42] selinux: introduce task_obj_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 28/42] selinux: update bprm hooks for selinux namespaces Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 29/42] selinux: add kerneldoc to new permission checking functions Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 30/42] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 31/42] selinux: rename cred_has_perm*() to cred_tsid_has_perm*() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 32/42] selinux: update cred_tsid_has_perm_noaudit() to return the combined avd Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 33/42] selinux: convert additional checks to cred_ssid_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 34/42] selinux: introduce selinux_state_has_perm() Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 35/42] selinux: annotate selinuxfs permission checks Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 36/42] selinux: annotate process transition " Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 37/42] selinux: convert xfrm and netlabel " Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 38/42] selinux: switch selinux_lsm_setattr() checks to current namespace Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 39/42] selinux: make open_perms namespace-aware Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 40/42] selinux: split cred_ssid_has_perm() into two cases Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 41/42] selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware Stephen Smalley
2025-06-20 17:44 ` [PATCH v6 42/42] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250620174502.1838-9-stephen.smalley.work@gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=horms@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).