| Message ID | 20241203222741.1739916-1-tweek@google.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | selinux: ignore unknown extended permissions | expand |
On Tue, Dec 3, 2024 at 5:27 PM Thiébaud Weksteen <tweek@google.com> wrote: > > When evaluating extended permissions, ignore unknown permissions instead > of calling BUG(). This commit ensures that future permissions can be > added without interfering with older kernels. > > Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") > Cc: stable@vger.kernel.org > Signed-off-by: Thiébaud Weksteen <tweek@google.com> > --- > security/selinux/ss/services.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c > index 971c45d576ba..2fa8aebcb2e5 100644 > --- a/security/selinux/ss/services.c > +++ b/security/selinux/ss/services.c > @@ -979,7 +979,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, > return; > break; > default: > - BUG(); > + // An unknown extended permission has been found. Ignore it. > + return; There is also a BUG() call lower in the function when it generates the extended data, do you want to update/remove that as well? It also seems like we should have a pr_warn_once() or pr_warn_ratelimited() message here to alert the admin of a mismatch between the policy and the kernel. > } > > if (node->key.specified == AVTAB_XPERMS_ALLOWED) { > --
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 971c45d576ba..2fa8aebcb2e5 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -979,7 +979,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, return; break; default: - BUG(); + // An unknown extended permission has been found. Ignore it. + return; } if (node->key.specified == AVTAB_XPERMS_ALLOWED) {
When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels. Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Cc: stable@vger.kernel.org Signed-off-by: Thiébaud Weksteen <tweek@google.com> --- security/selinux/ss/services.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)