[PATCH v2 29/49] selinux: switch selinux_lsm_setattr() checks to current namespace

selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, omosnace@redhat.com,
	Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH v2 29/49] selinux: switch selinux_lsm_setattr() checks to current namespace
Date: Thu, 15 May 2025 09:09:27 -0400	[thread overview]
Message-ID: <20250515130947.52806-30-stephen.smalley.work@gmail.com> (raw)
In-Reply-To: <20250515130947.52806-1-stephen.smalley.work@gmail.com>

Switch the selinux_lsm_setattr() checks to only check against
the current SELinux namespace because this operation only changes
the SID in the current namespace.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 security/selinux/hooks.c | 44 ++++++++++++++++++++++------------------
 1 file changed, 24 insertions(+), 20 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 383e032cd536..3c410ffd6c52 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6731,35 +6731,41 @@ static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,
 static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
 {
 	const struct cred *cred = current_cred();
+	struct selinux_state *state = current_selinux_state;
 	struct task_security_struct *tsec;
 	struct cred *new;
-	u32 sid = 0, ptsid;
+	u32 mysid = current_sid(), sid = 0, ptsid;
 	int error;
 	char *str = value;
 
 	/*
 	 * Basic control over ability to set these attributes at all.
 	 */
+	/*
+	 * Only check against the current SELinux namespace
+	 * because only the SID in the current namespace
+	 * is changed by this operation.
+	 */
 	switch (attr) {
 	case LSM_ATTR_EXEC:
-		error = cred_self_has_perm(cred, SECCLASS_PROCESS,
-					   PROCESS__SETEXEC, NULL);
+		error = avc_has_perm(state, mysid, mysid, SECCLASS_PROCESS,
+				     PROCESS__SETEXEC, NULL);
 		break;
 	case LSM_ATTR_FSCREATE:
-		error = cred_self_has_perm(cred, SECCLASS_PROCESS,
-					   PROCESS__SETFSCREATE, NULL);
+		error = avc_has_perm(state, mysid, mysid, SECCLASS_PROCESS,
+				     PROCESS__SETFSCREATE, NULL);
 		break;
 	case LSM_ATTR_KEYCREATE:
-		error = cred_self_has_perm(cred, SECCLASS_PROCESS,
-					   PROCESS__SETKEYCREATE, NULL);
+		error = avc_has_perm(state, mysid, mysid, SECCLASS_PROCESS,
+				     PROCESS__SETKEYCREATE, NULL);
 		break;
 	case LSM_ATTR_SOCKCREATE:
-		error = cred_self_has_perm(cred, SECCLASS_PROCESS,
-					   PROCESS__SETSOCKCREATE, NULL);
+		error = avc_has_perm(state, mysid, mysid, SECCLASS_PROCESS,
+				     PROCESS__SETSOCKCREATE, NULL);
 		break;
 	case LSM_ATTR_CURRENT:
-		error = cred_self_has_perm(cred, SECCLASS_PROCESS,
-					   PROCESS__SETCURRENT, NULL);
+		error = avc_has_perm(state, mysid, mysid, SECCLASS_PROCESS,
+				     PROCESS__SETCURRENT, NULL);
 		break;
 	default:
 		error = -EOPNOTSUPP;
@@ -6774,7 +6780,7 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
 			str[size-1] = 0;
 			size--;
 		}
-		error = security_context_to_sid(current_selinux_state, value, size,
+		error = security_context_to_sid(state, value, size,
 						&sid, GFP_KERNEL);
 		if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) {
 			if (!has_cap_mac_admin(true)) {
@@ -6800,9 +6806,8 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
 
 				return error;
 			}
-			error = security_context_to_sid_force(
-						      current_selinux_state,
-						      value, size, &sid);
+			error = security_context_to_sid_force(state, value,
+							      size, &sid);
 		}
 		if (error)
 			return error;
@@ -6839,7 +6844,7 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
 			goto abort_change;
 
 		if (!current_is_single_threaded()) {
-			error = security_bounded_transition(current_selinux_state,
+			error = security_bounded_transition(state,
 							    tsec->sid, sid);
 			if (error)
 				goto abort_change;
@@ -6851,8 +6856,7 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
 		 * because only the SID in the current namespace
 		 * is changed by a transition.
 		 */
-		error = avc_has_perm(current_selinux_state,
-				     tsec->sid, sid, SECCLASS_PROCESS,
+		error = avc_has_perm(state, tsec->sid, sid, SECCLASS_PROCESS,
 				     PROCESS__DYNTRANSITION, NULL);
 		if (error)
 			goto abort_change;
@@ -6866,8 +6870,8 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
 			 * because only the SID in the current namespace
 			 * is changed by a transition.
 			 */
-			error = avc_has_perm(current_selinux_state,
-					     ptsid, sid, SECCLASS_PROCESS,
+			error = avc_has_perm(state, ptsid, sid,
+					     SECCLASS_PROCESS,
 					     PROCESS__PTRACE, NULL);
 			if (error)
 				goto abort_change;
-- 
2.49.0

next prev parent reply	other threads:[~2025-05-15 13:10 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-15 13:08 [PATCH v2 00/49] SELinux namespace support Stephen Smalley
2025-05-15 13:08 ` [PATCH v2 01/49] selinux: restore passing of selinux_state Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 02/49] selinux: introduce current_selinux_state Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 03/49] selinux: support multiple selinuxfs instances Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 04/49] selinux: dynamically allocate selinux namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 05/49] netstate,selinux: create the selinux netlink socket per network namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 06/49] selinux: support per-task/cred selinux namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 07/49] selinux: introduce cred_selinux_state() and use it Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 08/49] selinux: add a selinuxfs interface to unshare selinux namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 09/49] selinuxfs: restrict write operations to the same " Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 10/49] selinux: introduce a global SID table Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 11/49] selinux: wrap security server interfaces to use the " Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 12/49] selinux: update hook functions to use correct selinux namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 13/49] selinux: introduce cred_task_has_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 14/49] selinux: introduce cred_has_extended_perms() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 15/49] selinux: introduce cred_self_has_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 16/49] selinux: introduce cred_has_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 17/49] selinux: introduce cred_ssid_has_perm() and cred_other_has_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 18/49] selinux: introduce task_obj_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 19/49] selinux: fix selinux_lsm_getattr() check Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 20/49] selinux: update bprm hooks for selinux namespaces Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 21/49] selinux: add kerneldoc to new permission checking functions Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 22/49] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 23/49] selinux: rename cred_has_perm*() to cred_tsid_has_perm*() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 24/49] selinux: convert additional checks to cred_ssid_has_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 25/49] selinux: introduce selinux_state_has_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 26/49] selinux: annotate selinuxfs permission checks Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 27/49] selinux: annotate process transition " Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 28/49] selinux: convert xfrm and netlabel " Stephen Smalley
2025-05-15 13:09 ` Stephen Smalley [this message]
2025-05-15 13:09 ` [PATCH v2 30/49] selinux: add limits for SELinux namespaces Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 31/49] selinux: fix namespace creation Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 32/49] selinux: limit selinux netlink notifications to init namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 33/49] selinux: refactor selinux_state_create() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 34/49] selinux: make open_perms namespace-aware Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 35/49] selinux: split cred_ssid_has_perm() into two cases Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 36/49] selinux: set initial SID context for init to "kernel" in global SID table Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 37/49] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 38/49] selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 39/49] selinux: init inode from nearest initialized namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 40/49] selinux: allow userspace to detect non-init SELinux namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 41/49] selinux: exempt creation of init SELinux namespace from limits Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 42/49] selinux: introduce a Kconfig option for SELinux namespaces Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 43/49] selinux: eliminate global SID table if !CONFIG_SECURITY_SELINUX_NS Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 44/49] selinux: maintain a small cache in the global SID table Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 45/49] selinux: change /sys/fs/selinux/unshare to check current process state Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 46/49] selinux: acquire/release SELinux state properly in socket hooks Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 47/49] selinux: update cred_tsid_has_perm_noaudit() to return the combined avd Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 48/49] selinux: repair security_fs_use() interface and its users Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 49/49] selinux: style cleanups for node_sid prototypes Stephen Smalley
2025-05-15 13:35 ` [PATCH v2 00/49] SELinux namespace support Stephen Smalley
2025-05-15 13:59   ` Stephen Smalley
2025-05-20 12:06     ` Stephen Smalley

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:383e032cd53 dfblob:3c410ffd6c5 )
 OR (
bs:"[PATCH v2 29/49] selinux: switch selinux_lsm_setattr() checks to current namespace" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250515130947.52806-30-stephen.smalley.work@gmail.com \
    --to=stephen.smalley.work@gmail.com \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).