Commit 690ffcd8 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'selinux-pr-20250121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux 

Pull selinux updates from Paul Moore:

 - Extended permissions supported in conditional policy

   The SELinux extended permissions, aka "xperms", allow security admins
   to target individuals ioctls, and recently netlink messages, with
   their SELinux policy. Adding support for conditional policies allows
   admins to toggle the granular xperms using SELinux booleans, helping
   pave the way for greater use of xperms in general purpose SELinux
   policies. This change bumps the maximum SELinux policy version to 34.

 - Fix a SCTP/SELinux error return code inconsistency

   Depending on the loaded SELinux policy, specifically it's
   EXTSOCKCLASS support, the bind(2) LSM/SELinux hook could return
   different error codes due to the SELinux code checking the socket's
   SELinux object class (which can vary depending on EXTSOCKCLASS) and
   not the socket's sk_protocol field. We fix this by doing the obvious,
   and looking at the sock->sk_protocol field instead of the object
   class.

 - Makefile fixes to properly cleanup av_permissions.h

   Add av_permissions.h to "targets" so that it is properly cleaned up
   using the kbuild infrastructure.

 - A number of smaller improvements by Christian Göttsche

   A variety of straightforward changes to reduce code duplication,
   reduce pointer lookups, migrate void pointers to defined types,
   simplify code, constify function parameters, and correct iterator
   types.

* tag 'selinux-pr-20250121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: make more use of str_read() when loading the policy
  selinux: avoid unnecessary indirection in struct level_datum
  selinux: use known type instead of void pointer
  selinux: rename comparison functions for clarity
  selinux: rework match_ipv6_addrmask()
  selinux: constify and reconcile function parameter names
  selinux: avoid using types indicating user space interaction
  selinux: supply missing field initializers
  selinux: add netlink nlmsg_type audit message
  selinux: add support for xperms in conditional policies
  selinux: Fix SCTP error inconsistency in selinux_socket_bind()
  selinux: use native iterator types
  selinux: add generated av_permissions.h to targets
parents f96a9741 01c2253a

include/linux/lsm_audit.h

+2 −0
Original line number Diff line number Diff line
@@ -77,6 +77,7 @@ struct common_audit_data { 
#define LSM_AUDIT_DATA_LOCKDOWN 15

#define LSM_AUDIT_DATA_NOTIFICATION 16

#define LSM_AUDIT_DATA_ANONINODE	17

#define LSM_AUDIT_DATA_NLMSGTYPE	18

	union 	{

		struct path path;

		struct dentry *dentry;
@@ -98,6 +99,7 @@ struct common_audit_data { 
		struct lsm_ibendport_audit *ibendport;

		int reason;

		const char *anonclass;

		u16 nlmsg_type;

	} u;

	/* this union contains LSM specific data */

	union {

security/lsm_audit.c

+3 −0
Original line number Diff line number Diff line
@@ -425,6 +425,9 @@ static void dump_common_audit_data(struct audit_buffer *ab, 
	case LSM_AUDIT_DATA_ANONINODE:

		audit_log_format(ab, " anonclass=%s", a->u.anonclass);

		break;

	case LSM_AUDIT_DATA_NLMSGTYPE:

		audit_log_format(ab, " nl-msgtype=%hu", a->u.nlmsg_type);

		break;

	} /* switch (a->type) */

}

security/selinux/Makefile

+3 −4
Original line number Diff line number Diff line
@@ -33,11 +33,10 @@ $(addprefix $(obj)/,$(selinux-y)): $(obj)/flask.h 
quiet_cmd_genhdrs = GEN     $(addprefix $(obj)/,$(genhdrs))

      cmd_genhdrs = $< $(addprefix $(obj)/,$(genhdrs))



# see the note above, replace the $targets and 'flask.h' rule with the lines

# below:

#  targets += $(genhdrs)

targets += $(genhdrs)



# see the note above, replace the 'flask.h' rule with the line below:

#  $(addprefix $(obj)/,$(genhdrs)) &: $(obj)/genheaders FORCE

targets += flask.h

$(obj)/flask.h: $(obj)/genheaders FORCE

	$(call if_changed,genhdrs)

security/selinux/hooks.c

+5 −5
Original line number Diff line number Diff line
@@ -407,7 +407,7 @@ static const struct { 


static int match_opt_prefix(char *s, int l, char **arg)

{

	int i;

	unsigned int i;



	for (i = 0; i < ARRAY_SIZE(tokens); i++) {

		size_t len = tokens[i].len;
@@ -3135,7 +3135,7 @@ static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 
	const struct cred *cred = current_cred();

	struct inode *inode = d_backing_inode(dentry);

	unsigned int ia_valid = iattr->ia_valid;

	__u32 av = FILE__WRITE;

	u32 av = FILE__WRITE;



	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */

	if (ia_valid & ATTR_FORCE) {
@@ -4835,7 +4835,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in 
	return err;

err_af:

	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */

	if (sksec->sclass == SECCLASS_SCTP_SOCKET)

	if (sk->sk_protocol == IPPROTO_SCTP)

		return -EINVAL;

	return -EAFNOSUPPORT;

}
@@ -5939,14 +5939,14 @@ static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_t 
{

	struct sk_security_struct *sksec = sk->sk_security;

	struct common_audit_data ad;

	struct lsm_network_audit net;

	u8 driver;

	u8 xperm;



	if (sock_skip_has_perm(sksec->sid))

		return 0;



	ad_net_init_from_sk(&ad, &net, sk);

	ad.type = LSM_AUDIT_DATA_NLMSGTYPE;

	ad.u.nlmsg_type = nlmsg_type;



	driver = nlmsg_type >> 8;

	xperm = nlmsg_type & 0xff;

security/selinux/include/classmap.h

+1 −1
Original line number Diff line number Diff line
@@ -179,7 +179,7 @@ const struct security_class_mapping secclass_map[] = { 
	{ "anon_inode", { COMMON_FILE_PERMS, NULL } },

	{ "io_uring", { "override_creds", "sqpoll", "cmd", NULL } },

	{ "user_namespace", { "create", NULL } },

	{ NULL }

	/* last one */ { NULL, {} }

};



#ifdef __KERNEL__ /* avoid this check when building host programs */