From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, omosnace@redhat.com, netdev@vger.kernel.org,
horms@kernel.org,
Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH v7 22/42] selinux: introduce cred_task_has_perm()
Date: Thu, 14 Aug 2025 09:26:13 -0400 [thread overview]
Message-ID: <20250814132637.1659-23-stephen.smalley.work@gmail.com> (raw)
In-Reply-To: <20250814132637.1659-1-stephen.smalley.work@gmail.com>
Introduce cred_task_has_perm() for checking permissions between a cred
and a target task against not only the current SELinux namespace but all
ancestor namespaces too.
Convert existing cred-task permission checks in the SELinux hook
functions to use cred_task_has_perm() instead of calling avc_has_perm().
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
security/selinux/avc.c | 44 +++++++++++++++++
security/selinux/hooks.c | 89 +++++++++++++---------------------
security/selinux/include/avc.h | 4 ++
3 files changed, 81 insertions(+), 56 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 056e597912ec..44caaead16aa 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -1246,6 +1246,50 @@ int avc_has_perm(struct selinux_state *state, u32 ssid, u32 tsid, u16 tclass,
return rc;
}
+static u32 task_sid_obj_for_state(const struct task_struct *p,
+ const struct selinux_state *state)
+{
+ const struct task_security_struct *tsec;
+ u32 sid;
+
+ rcu_read_lock();
+ tsec = selinux_cred(__task_cred(p));
+ while (tsec->state != state && tsec->parent_cred)
+ tsec = selinux_cred(tsec->parent_cred);
+ if (tsec->state == state)
+ sid = tsec->sid;
+ else
+ sid = SECINITSID_UNLABELED;
+ rcu_read_unlock();
+ return sid;
+}
+
+int cred_task_has_perm(const struct cred *cred, const struct task_struct *p,
+ u16 tclass, u32 requested,
+ struct common_audit_data *ad)
+{
+ struct task_security_struct *tsec;
+ struct selinux_state *state;
+ u32 ssid;
+ u32 tsid;
+ int rc;
+
+ do {
+ tsec = selinux_cred(cred);
+ ssid = tsec->sid;
+ state = tsec->state;
+ tsid = task_sid_obj_for_state(p, state);
+
+ rc = avc_has_perm(state, ssid, tsid, tclass, requested, ad);
+ if (rc)
+ return rc;
+
+ cred = tsec->parent_cred;
+ } while (cred);
+
+ return 0;
+}
+
u32 avc_policy_seqno(struct selinux_state *state)
{
return state->avc->avc_cache.latest_notif;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 99a83acfa19e..d21b3d03cced 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2154,15 +2154,12 @@ static int selinux_binder_transfer_file(const struct cred *from,
static int selinux_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
- u32 sid = current_sid();
- u32 csid = task_sid_obj(child);
-
if (mode & PTRACE_MODE_READ)
- return avc_has_perm(current_selinux_state,
- sid, csid, SECCLASS_FILE, FILE__READ, NULL);
+ return cred_task_has_perm(current_cred(), child,
+ SECCLASS_FILE, FILE__READ, NULL);
- return avc_has_perm(current_selinux_state,
- sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
+ return cred_task_has_perm(current_cred(), child, SECCLASS_PROCESS,
+ PROCESS__PTRACE, NULL);
}
static int selinux_ptrace_traceme(struct task_struct *parent)
@@ -2175,9 +2172,8 @@ static int selinux_ptrace_traceme(struct task_struct *parent)
static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
- return avc_has_perm(current_selinux_state,
- current_sid(), task_sid_obj(target), SECCLASS_PROCESS,
- PROCESS__GETCAP, NULL);
+ return cred_task_has_perm(current_cred(), target, SECCLASS_PROCESS,
+ PROCESS__GETCAP, NULL);
}
static int selinux_capset(struct cred *new, const struct cred *old,
@@ -4460,23 +4456,20 @@ static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
{
- return avc_has_perm(current_selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
- PROCESS__SETPGID, NULL);
+ return cred_task_has_perm(current_cred(), p, SECCLASS_PROCESS,
+ PROCESS__SETPGID, NULL);
}
static int selinux_task_getpgid(struct task_struct *p)
{
- return avc_has_perm(current_selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
- PROCESS__GETPGID, NULL);
+ return cred_task_has_perm(current_cred(), p, SECCLASS_PROCESS,
+ PROCESS__GETPGID, NULL);
}
static int selinux_task_getsid(struct task_struct *p)
{
- return avc_has_perm(current_selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
- PROCESS__GETSESSION, NULL);
+ return cred_task_has_perm(current_cred(), p, SECCLASS_PROCESS,
+ PROCESS__GETSESSION, NULL);
}
static void selinux_current_getlsmprop_subj(struct lsm_prop *prop)
@@ -4492,23 +4485,20 @@ static void selinux_task_getlsmprop_obj(struct task_struct *p,
static int selinux_task_setnice(struct task_struct *p, int nice)
{
- return avc_has_perm(current_selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
- PROCESS__SETSCHED, NULL);
+ return cred_task_has_perm(current_cred(), p, SECCLASS_PROCESS,
+ PROCESS__SETSCHED, NULL);
}
static int selinux_task_setioprio(struct task_struct *p, int ioprio)
{
- return avc_has_perm(current_selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
- PROCESS__SETSCHED, NULL);
+ return cred_task_has_perm(current_cred(), p, SECCLASS_PROCESS,
+ PROCESS__SETSCHED, NULL);
}
static int selinux_task_getioprio(struct task_struct *p)
{
- return avc_has_perm(current_selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
- PROCESS__GETSCHED, NULL);
+ return cred_task_has_perm(current_cred(), p, SECCLASS_PROCESS,
+ PROCESS__GETSCHED, NULL);
}
static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
@@ -4537,56 +4527,43 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
later be used as a safe reset point for the soft limit
upon context transitions. See selinux_bprm_committing_creds. */
if (old_rlim->rlim_max != new_rlim->rlim_max)
- return avc_has_perm(current_selinux_state,
- current_sid(), task_sid_obj(p),
- SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
+ return cred_task_has_perm(current_cred(), p, SECCLASS_PROCESS,
+ PROCESS__SETRLIMIT, NULL);
return 0;
}
static int selinux_task_setscheduler(struct task_struct *p)
{
- return avc_has_perm(current_selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
- PROCESS__SETSCHED, NULL);
+ return cred_task_has_perm(current_cred(), p, SECCLASS_PROCESS,
+ PROCESS__SETSCHED, NULL);
}
static int selinux_task_getscheduler(struct task_struct *p)
{
- return avc_has_perm(current_selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
- PROCESS__GETSCHED, NULL);
+ return cred_task_has_perm(current_cred(), p, SECCLASS_PROCESS,
+ PROCESS__GETSCHED, NULL);
}
static int selinux_task_movememory(struct task_struct *p)
{
- return avc_has_perm(current_selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
- PROCESS__SETSCHED, NULL);
+ return cred_task_has_perm(current_cred(), p, SECCLASS_PROCESS,
+ PROCESS__SETSCHED, NULL);
}
static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
int sig, const struct cred *cred)
{
- struct selinux_state *state;
- u32 secid;
u32 perm;
- if (cred)
- state = cred_selinux_state(cred);
- else
- state = current_selinux_state;
+ if (!cred)
+ cred = current_cred();
if (!sig)
perm = PROCESS__SIGNULL; /* null signal; existence test */
else
perm = signal_to_av(sig);
- if (!cred)
- secid = current_sid();
- else
- secid = cred_sid(cred);
- return avc_has_perm(state, secid, task_sid_obj(p),
- SECCLASS_PROCESS, perm, NULL);
+ return cred_task_has_perm(cred, p, SECCLASS_PROCESS, perm, NULL);
}
static void selinux_task_to_inode(struct task_struct *p,
@@ -6730,14 +6707,14 @@ static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,
u32 len;
rcu_read_lock();
- tsec = task_security(p);
if (p != current) {
- error = avc_has_perm(current_selinux_state,
- current_sid(), tsec->sid,
- SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
+ error = cred_task_has_perm(current_cred(), p,
+ SECCLASS_PROCESS,
+ PROCESS__GETATTR, NULL);
if (error)
goto err_unlock;
}
+ tsec = task_security(p);
switch (attr) {
case LSM_ATTR_CURRENT:
sid = tsec->sid;
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index f6a500e9d74d..5d79bb7c610c 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -150,6 +150,10 @@ int avc_has_extended_perms(struct selinux_state *state, u32 ssid, u32 tsid,
u16 tclass, u32 requested, u8 driver, u8 base_perm,
u8 perm, struct common_audit_data *ad);
+int cred_task_has_perm(const struct cred *cred, const struct task_struct *p,
+ u16 tclass, u32 requested,
+ struct common_audit_data *auditdata);
+
u32 avc_policy_seqno(struct selinux_state *state);
#define AVC_CALLBACK_GRANT 1
--
2.50.1
next prev parent reply other threads:[~2025-08-14 13:27 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-14 13:25 [PATCH v7 00/42] SELinux namespace support Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 01/42] selinux: restore passing of selinux_state Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 02/42] selinux: introduce current_selinux_state Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 03/42] selinux: support multiple selinuxfs instances Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 04/42] selinux: dynamically allocate selinux namespace Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 05/42] netstate,selinux: create the selinux netlink socket per network namespace Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 06/42] selinux: limit selinux netlink notifications to init namespace Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 07/42] selinux: support per-task/cred selinux namespace Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 08/42] selinux: introduce cred_selinux_state() and use it Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 09/42] selinux: init inode from nearest initialized namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 10/42] selinux: add a selinuxfs interface to unshare selinux namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 11/42] selinux: add limits for SELinux namespaces Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 12/42] selinux: exempt creation of init SELinux namespace from limits Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 13/42] selinux: refactor selinux_state_create() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 14/42] selinux: allow userspace to detect non-init SELinux namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 15/42] selinuxfs: restrict write operations to the same selinux namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 16/42] selinux: introduce a global SID table Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 17/42] selinux: wrap security server interfaces to use the " Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 18/42] selinux: introduce a Kconfig option for SELinux namespaces Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 19/42] selinux: eliminate global SID table if !CONFIG_SECURITY_SELINUX_NS Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 20/42] selinux: maintain a small cache in the global SID table Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 21/42] selinux: update hook functions to use correct selinux namespace Stephen Smalley
2025-08-14 13:26 ` Stephen Smalley [this message]
2025-08-14 13:26 ` [PATCH v7 23/42] selinux: introduce cred_has_extended_perms() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 24/42] selinux: introduce cred_self_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 25/42] selinux: introduce cred_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 26/42] selinux: introduce cred_ssid_has_perm() and cred_other_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 27/42] selinux: introduce task_obj_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 28/42] selinux: update bprm hooks for selinux namespaces Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 29/42] selinux: add kerneldoc to new permission checking functions Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 30/42] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 31/42] selinux: rename cred_has_perm*() to cred_tsid_has_perm*() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 32/42] selinux: update cred_tsid_has_perm_noaudit() to return the combined avd Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 33/42] selinux: convert additional checks to cred_ssid_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 34/42] selinux: introduce selinux_state_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 35/42] selinux: annotate selinuxfs permission checks Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 36/42] selinux: annotate process transition " Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 37/42] selinux: convert xfrm and netlabel " Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 38/42] selinux: switch selinux_lsm_setattr() checks to current namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 39/42] selinux: make open_perms namespace-aware Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 40/42] selinux: split cred_ssid_has_perm() into two cases Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 41/42] selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 42/42] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250814132637.1659-23-stephen.smalley.work@gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=horms@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).