From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, omosnace@redhat.com, netdev@vger.kernel.org,
horms@kernel.org,
Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH v7 24/42] selinux: introduce cred_self_has_perm()
Date: Thu, 14 Aug 2025 09:26:15 -0400 [thread overview]
Message-ID: <20250814132637.1659-25-stephen.smalley.work@gmail.com> (raw)
In-Reply-To: <20250814132637.1659-1-stephen.smalley.work@gmail.com>
Introduce a cred_self_has_perm() function for checking permissions
between a cred and itself against the current SELinux namespace
and all ancestors. Also provide a cred_self_has_perm_noaudit() variant
for use where auditing is not desired.
Update existing permission checks in the hook functions to use this
new helper.
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
security/selinux/avc.c | 47 +++++++++++++++++
security/selinux/hooks.c | 92 ++++++++++++----------------------
security/selinux/include/avc.h | 6 +++
3 files changed, 86 insertions(+), 59 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 03760f7e7cac..510bbbaf4a70 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -1316,6 +1316,53 @@ int cred_has_extended_perms(const struct cred *cred, u32 tsid, u16 tclass,
return 0;
}
+int cred_self_has_perm(const struct cred *cred, u16 tclass, u32 requested,
+ struct common_audit_data *ad)
+{
+ struct task_security_struct *tsec;
+ struct selinux_state *state;
+ u32 ssid;
+ int rc;
+
+ do {
+ tsec = selinux_cred(cred);
+ ssid = tsec->sid;
+ state = tsec->state;
+ rc = avc_has_perm(state, ssid, ssid, tclass, requested, ad);
+ if (rc)
+ return rc;
+
+ cred = tsec->parent_cred;
+ } while (cred);
+
+ return 0;
+}
+
+int cred_self_has_perm_noaudit(const struct cred *cred, u16 tclass,
+ u32 requested)
+{
+ struct task_security_struct *tsec;
+ struct selinux_state *state;
+ u32 ssid;
+ struct av_decision avd;
+ int rc;
+
+ do {
+ tsec = selinux_cred(cred);
+ ssid = tsec->sid;
+ state = tsec->state;
+
+ rc = avc_has_perm_noaudit(state, ssid, ssid, tclass,
+ requested, 0, &avd);
+ if (rc)
+ return rc;
+
+ cred = tsec->parent_cred;
+ } while (cred);
+
+ return 0;
+}
+
u32 avc_policy_seqno(struct selinux_state *state)
{
return state->avc->avc_cache.latest_notif;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f22acce323b8..ce2bfa56be6f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1658,9 +1658,7 @@ static int cred_has_capability(const struct cred *cred,
int cap, unsigned int opts, bool initns)
{
struct common_audit_data ad;
- struct av_decision avd;
u16 sclass;
- u32 sid = cred_sid(cred);
u32 av = CAP_TO_MASK(cap);
int rc;
@@ -1680,14 +1678,11 @@ static int cred_has_capability(const struct cred *cred,
return -EINVAL;
}
- rc = avc_has_perm_noaudit(cred_selinux_state(cred),
- sid, sid, sclass, av, 0, &avd);
- if (!(opts & CAP_OPT_NOAUDIT)) {
- int rc2 = avc_audit(cred_selinux_state(cred),
- sid, sid, sclass, av, &avd, rc, &ad);
- if (rc2)
- return rc2;
- }
+ if (opts & CAP_OPT_NOAUDIT)
+ rc = cred_self_has_perm_noaudit(cred, sclass, av);
+ else
+ rc = cred_self_has_perm(cred, sclass, av, &ad);
+
return rc;
}
@@ -3999,7 +3994,6 @@ static int default_noexec __ro_after_init;
static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
{
const struct cred *cred = current_cred();
- u32 sid = cred_sid(cred);
int rc = 0;
if (default_noexec &&
@@ -4010,9 +4004,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
* private file mapping that will also be writable.
* This has an additional check.
*/
- rc = avc_has_perm(cred_selinux_state(cred),
- sid, sid, SECCLASS_PROCESS,
- PROCESS__EXECMEM, NULL);
+ rc = cred_self_has_perm(cred, SECCLASS_PROCESS,
+ PROCESS__EXECMEM, NULL);
if (rc)
goto error;
}
@@ -4040,10 +4033,8 @@ static int selinux_mmap_addr(unsigned long addr)
int rc = 0;
if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
- u32 sid = current_sid();
- rc = avc_has_perm(current_selinux_state,
- sid, sid, SECCLASS_MEMPROTECT,
- MEMPROTECT__MMAP_ZERO, NULL);
+ rc = cred_self_has_perm(current_cred(), SECCLASS_MEMPROTECT,
+ MEMPROTECT__MMAP_ZERO, NULL);
}
return rc;
@@ -4074,7 +4065,6 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
unsigned long prot)
{
const struct cred *cred = current_cred();
- u32 sid = cred_sid(cred);
if (default_noexec &&
(prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
@@ -4090,14 +4080,12 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
*/
if (vma->vm_start >= vma->vm_mm->start_brk &&
vma->vm_end <= vma->vm_mm->brk) {
- rc = avc_has_perm(cred_selinux_state(cred), sid, sid,
- SECCLASS_PROCESS, PROCESS__EXECHEAP,
- NULL);
+ rc = cred_self_has_perm(cred, SECCLASS_PROCESS,
+ PROCESS__EXECHEAP, NULL);
} else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
vma_is_stack_for_current(vma))) {
- rc = avc_has_perm(cred_selinux_state(cred), sid, sid,
- SECCLASS_PROCESS, PROCESS__EXECSTACK,
- NULL);
+ rc = cred_self_has_perm(cred, SECCLASS_PROCESS,
+ PROCESS__EXECSTACK, NULL);
} else if (vma->vm_file && vma->anon_vma) {
/*
* We are making executable a file mapping that has
@@ -4232,10 +4220,8 @@ static int selinux_file_open(struct file *file)
static int selinux_task_alloc(struct task_struct *task,
unsigned long clone_flags)
{
- u32 sid = current_sid();
-
- return avc_has_perm(current_selinux_state,
- sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__FORK, NULL);
}
/*
@@ -4357,9 +4343,8 @@ static int selinux_kernel_load_from_file(struct file *file, u32 requested)
int rc;
if (file == NULL)
- return avc_has_perm(current_selinux_state,
- sid, sid, SECCLASS_SYSTEM, requested,
- NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_SYSTEM,
+ requested, NULL);
/* finit_module */
ad.type = LSM_AUDIT_DATA_FILE;
@@ -4580,10 +4565,8 @@ static void selinux_task_to_inode(struct task_struct *p,
static int selinux_userns_create(const struct cred *cred)
{
- u32 sid = current_sid();
-
- return avc_has_perm(current_selinux_state, sid, sid, SECCLASS_USER_NAMESPACE,
- USER_NAMESPACE__CREATE, NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_USER_NAMESPACE,
+ USER_NAMESPACE__CREATE, NULL);
}
/* Returns error only if unable to parse addresses */
@@ -6767,29 +6750,24 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
*/
switch (attr) {
case LSM_ATTR_EXEC:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETEXEC, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETEXEC, NULL);
break;
case LSM_ATTR_FSCREATE:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETFSCREATE, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETFSCREATE, NULL);
break;
case LSM_ATTR_KEYCREATE:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETKEYCREATE, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETKEYCREATE, NULL);
break;
case LSM_ATTR_SOCKCREATE:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETSOCKCREATE, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETSOCKCREATE, NULL);
break;
case LSM_ATTR_CURRENT:
- error = avc_has_perm(current_selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
- PROCESS__SETCURRENT, NULL);
+ error = cred_self_has_perm(current_cred(), SECCLASS_PROCESS,
+ PROCESS__SETCURRENT, NULL);
break;
default:
error = -EOPNOTSUPP;
@@ -7456,10 +7434,8 @@ static int selinux_uring_override_creds(const struct cred *new)
*/
static int selinux_uring_sqpoll(void)
{
- u32 sid = current_sid();
-
- return avc_has_perm(current_selinux_state, sid, sid,
- SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_IO_URING,
+ IO_URING__SQPOLL, NULL);
}
/**
@@ -7491,10 +7467,8 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
*/
static int selinux_uring_allowed(void)
{
- u32 sid = current_sid();
-
- return avc_has_perm(current_selinux_state, sid, sid,
- SECCLASS_IO_URING, IO_URING__ALLOWED, NULL);
+ return cred_self_has_perm(current_cred(), SECCLASS_IO_URING,
+ IO_URING__ALLOWED, NULL);
}
#endif /* CONFIG_IO_URING */
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index adbbecc681f2..3fce5cf92b0a 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -158,6 +158,12 @@ int cred_has_extended_perms(const struct cred *cred, u32 tsid, u16 tclass,
u32 requested, u8 driver, u8 base_perm, u8 xperm,
struct common_audit_data *ad);
+int cred_self_has_perm(const struct cred *cred, u16 tclass, u32 requested,
+ struct common_audit_data *ad);
+
+int cred_self_has_perm_noaudit(const struct cred *cred, u16 tclass,
+ u32 requested);
+
u32 avc_policy_seqno(struct selinux_state *state);
#define AVC_CALLBACK_GRANT 1
--
2.50.1
next prev parent reply other threads:[~2025-08-14 13:27 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-14 13:25 [PATCH v7 00/42] SELinux namespace support Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 01/42] selinux: restore passing of selinux_state Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 02/42] selinux: introduce current_selinux_state Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 03/42] selinux: support multiple selinuxfs instances Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 04/42] selinux: dynamically allocate selinux namespace Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 05/42] netstate,selinux: create the selinux netlink socket per network namespace Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 06/42] selinux: limit selinux netlink notifications to init namespace Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 07/42] selinux: support per-task/cred selinux namespace Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 08/42] selinux: introduce cred_selinux_state() and use it Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 09/42] selinux: init inode from nearest initialized namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 10/42] selinux: add a selinuxfs interface to unshare selinux namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 11/42] selinux: add limits for SELinux namespaces Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 12/42] selinux: exempt creation of init SELinux namespace from limits Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 13/42] selinux: refactor selinux_state_create() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 14/42] selinux: allow userspace to detect non-init SELinux namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 15/42] selinuxfs: restrict write operations to the same selinux namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 16/42] selinux: introduce a global SID table Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 17/42] selinux: wrap security server interfaces to use the " Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 18/42] selinux: introduce a Kconfig option for SELinux namespaces Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 19/42] selinux: eliminate global SID table if !CONFIG_SECURITY_SELINUX_NS Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 20/42] selinux: maintain a small cache in the global SID table Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 21/42] selinux: update hook functions to use correct selinux namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 22/42] selinux: introduce cred_task_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 23/42] selinux: introduce cred_has_extended_perms() Stephen Smalley
2025-08-14 13:26 ` Stephen Smalley [this message]
2025-08-14 13:26 ` [PATCH v7 25/42] selinux: introduce cred_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 26/42] selinux: introduce cred_ssid_has_perm() and cred_other_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 27/42] selinux: introduce task_obj_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 28/42] selinux: update bprm hooks for selinux namespaces Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 29/42] selinux: add kerneldoc to new permission checking functions Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 30/42] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 31/42] selinux: rename cred_has_perm*() to cred_tsid_has_perm*() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 32/42] selinux: update cred_tsid_has_perm_noaudit() to return the combined avd Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 33/42] selinux: convert additional checks to cred_ssid_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 34/42] selinux: introduce selinux_state_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 35/42] selinux: annotate selinuxfs permission checks Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 36/42] selinux: annotate process transition " Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 37/42] selinux: convert xfrm and netlabel " Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 38/42] selinux: switch selinux_lsm_setattr() checks to current namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 39/42] selinux: make open_perms namespace-aware Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 40/42] selinux: split cred_ssid_has_perm() into two cases Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 41/42] selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 42/42] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250814132637.1659-25-stephen.smalley.work@gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=horms@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).