[RFC,25/44] selinux: introduce selinux_state_has_perm()

Message ID	20250102164509.25606-26-stephen.smalley.work@gmail.com (mailing list archive)
State	New
Delegated to:	Paul Moore
Headers	show Received: from mail-qt1-f175.google.com (mail-qt1-f175.google.com [209.85.160.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5C7715C14B for <selinux@vger.kernel.org>; Thu, 2 Jan 2025 16:45:55 +0000 (UTC) From: Stephen Smalley <stephen.smalley.work@gmail.com> To: selinux@vger.kernel.org Cc: paul@paul-moore.com, omosnace@redhat.com, Stephen Smalley <stephen.smalley.work@gmail.com> Subject: [RFC PATCH 25/44] selinux: introduce selinux_state_has_perm() Date: Thu, 2 Jan 2025 11:44:50 -0500 Message-Id: <20250102164509.25606-26-stephen.smalley.work@gmail.com> In-Reply-To: <20250102164509.25606-1-stephen.smalley.work@gmail.com> References: <20250102164509.25606-1-stephen.smalley.work@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	SELinux namespace support \| expand [RFC,00/44] SELinux namespace support [RFC,01/44] selinux: restore passing of selinux_state [RFC,02/44] selinux: introduce current_selinux_state [RFC,03/44] selinux: support multiple selinuxfs instances [RFC,04/44] selinux: dynamically allocate selinux namespace [RFC,05/44] netstate,selinux: create the selinux netlink socket per network namespace [RFC,06/44] selinux: support per-task/cred selinux namespace [RFC,07/44] selinux: introduce cred_selinux_state() and use it [RFC,08/44] selinux: add a selinuxfs interface to unshare selinux namespace [RFC,09/44] selinuxfs: restrict write operations to the same selinux namespace [RFC,10/44] selinux: introduce a global SID table [RFC,11/44] selinux: wrap security server interfaces to use the global SID table [RFC,12/44] selinux: update hook functions to use correct selinux namespace [RFC,13/44] selinux: introduce cred_task_has_perm() [RFC,14/44] selinux: introduce cred_has_extended_perms() [RFC,15/44] selinux: introduce cred_self_has_perm() [RFC,16/44] selinux: introduce cred_has_perm() [RFC,17/44] selinux: introduce cred_ssid_has_perm() and cred_other_has_perm() [RFC,18/44] selinux: introduce task_obj_perm() [RFC,19/44] selinux: fix selinux_lsm_getattr() check [RFC,20/44] selinux: update bprm hooks for selinux namespaces [RFC,21/44] selinux: add kerneldoc to new permission checking functions [RFC,22/44] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper [RFC,23/44] selinux: rename cred_has_perm() to cred_tsid_has_perm() [RFC,24/44] selinux: convert additional checks to cred_ssid_has_perm() [RFC,25/44] selinux: introduce selinux_state_has_perm() [RFC,26/44] selinux: annotate selinuxfs permission checks [RFC,27/44] selinux: annotate process transition permission checks [RFC,28/44] selinux: convert xfrm and netlabel permission checks [RFC,29/44] selinux: switch selinux_lsm_setattr() checks to current namespace [RFC,30/44] selinux: add limits for SELinux namespaces [RFC,31/44] selinux: fix namespace creation [RFC,32/44] selinux: limit selinux netlink notifications to init namespace [RFC,33/44] selinux: refactor selinux_state_create() [RFC,34/44] selinux: make open_perms namespace-aware [RFC,35/44] selinux: split cred_ssid_has_perm() into two cases [RFC,36/44] selinux: set initial SID context for init to "kernel" in global SID table [RFC,37/44] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces [RFC,38/44] selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware [RFC,39/44] selinux: defer inode init on current selinux state [RFC,40/44] selinux: init inode from nearest initialized namespace [RFC,41/44] selinux: allow userspace to detect non-init SELinux namespace [RFC,42/44] selinux: exempt creation of init SELinux namespace from limits [RFC,43/44] selinux: introduce a Kconfig option for SELinux namespaces [RFC,44/44] selinux: fix inode initialization when no namespace is initialized

diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 250d56dae487..a533385d0149 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -1662,6 +1662,43 @@ int cred_other_has_perm(const struct cred *cred, const struct cred *other, return 0; } +/** + * selinux_state_has_perm - Check and audit permissions on a (ssid, tsid) pair + * @state: SELinux state + * @ssid: source security identifier + * @tsid: target security identifier + * @tclass: target security class + * @requested: requested permissions, interpreted based on @tclass + * @auditdata: auxiliary audit data + * + * Check permissions between a source SID @ssid and a target SID @tsid for + * @state and all ancestors to determine whether the @requested permissions + * are granted, interpreting the permissions based on @tclass. + * For the ancestor checks, use the SID of the creator of the namespace + * as the source SID of the check. + * Audit the granting or denial of permissions in accordance with the policy. + * Return %0 if all @requested permissions are granted, -%EACCES if any + * permissions are denied, or another -errno upon other errors. + * DO NOT USE when a cred is available; use cred_*_has_perm() instead. + */ +int selinux_state_has_perm(struct selinux_state *state, u32 ssid, u32 tsid, + u16 tclass, u32 requested, + struct common_audit_data *ad) +{ + int rc; + + do { + rc = avc_has_perm(state, ssid, tsid, tclass, requested, ad); + if (rc) + return rc; + + ssid = state->creator_sid; + state = state->parent; + } while (state); + + return 0; +} + u32 avc_policy_seqno(struct selinux_state *state) { return state->avc->avc_cache.latest_notif; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9e09bfff8392..3fd787bf5cc6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5158,16 +5158,16 @@ static int selinux_inet_sys_rcv_skb(struct selinux_state *state, err = sel_netif_sid(state, ns, ifindex, &if_sid); if (err) return err; - err = avc_has_perm(state, peer_sid, if_sid, - SECCLASS_NETIF, NETIF__INGRESS, ad); + err = selinux_state_has_perm(state, peer_sid, if_sid, + SECCLASS_NETIF, NETIF__INGRESS, ad); if (err) return err; err = sel_netnode_sid(state, addrp, family, &node_sid); if (err) return err; - return avc_has_perm(state, peer_sid, node_sid, SECCLASS_NODE, - NODE__RECVFROM, ad); + return selinux_state_has_perm(state, peer_sid, node_sid, SECCLASS_NODE, + NODE__RECVFROM, ad); } static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, @@ -5187,8 +5187,9 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, return err; if (selinux_secmark_enabled()) { - err = avc_has_perm(state, sk_sid, skb->secmark, SECCLASS_PACKET, - PACKET__RECV, &ad); + err = selinux_state_has_perm(state, sk_sid, skb->secmark, + SECCLASS_PACKET, PACKET__RECV, + &ad); if (err) return err; } @@ -5248,8 +5249,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) selinux_netlbl_err(skb, family, err, 0); return err; } - err = avc_has_perm(state, sk_sid, peer_sid, SECCLASS_PEER, - PEER__RECV, &ad); + err = selinux_state_has_perm(state, sk_sid, peer_sid, + SECCLASS_PEER, PEER__RECV, &ad); if (err) { selinux_netlbl_err(skb, family, err, 0); return err; @@ -5257,8 +5258,9 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) } if (secmark_active) { - err = avc_has_perm(state, sk_sid, skb->secmark, SECCLASS_PACKET, - PACKET__RECV, &ad); + err = selinux_state_has_perm(state, sk_sid, skb->secmark, + SECCLASS_PACKET, PACKET__RECV, + &ad); if (err) return err; } @@ -5439,9 +5441,9 @@ static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, * consistency among the peer SIDs. */ ad_net_init_from_sk(&ad, &net, asoc->base.sk); - err = avc_has_perm(state, sksec->peer_sid, asoc->peer_secid, - sksec->sclass, SCTP_SOCKET__ASSOCIATION, - &ad); + err = selinux_state_has_perm(state, sksec->peer_sid, + asoc->peer_secid, sksec->sclass, + SCTP_SOCKET__ASSOCIATION, &ad); if (err) return err; } @@ -5803,8 +5805,9 @@ static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, } if (secmark_active) - if (avc_has_perm(se_state, peer_sid, skb->secmark, - SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) + if (selinux_state_has_perm(se_state, peer_sid, skb->secmark, + SECCLASS_PACKET, + PACKET__FORWARD_IN, &ad)) return NF_DROP; if (netlbl_enabled()) @@ -5885,8 +5888,9 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, return NF_DROP; if (selinux_secmark_enabled()) - if (avc_has_perm(sksec->state, sksec->sid, skb->secmark, - SECCLASS_PACKET, PACKET__SEND, &ad)) + if (selinux_state_has_perm(sksec->state, sksec->sid, + skb->secmark, SECCLASS_PACKET, + PACKET__SEND, &ad)) return NF_DROP_ERR(-ECONNREFUSED); if (selinux_xfrm_postroute_last(sksec->sid, skb, sksec->state, &ad, @@ -6012,8 +6016,8 @@ static unsigned int selinux_ip_postroute(void *priv, return NF_DROP; if (secmark_active) - if (avc_has_perm(se_state, peer_sid, skb->secmark, - SECCLASS_PACKET, secmark_perm, &ad)) + if (selinux_state_has_perm(se_state, peer_sid, skb->secmark, + SECCLASS_PACKET, secmark_perm, &ad)) return NF_DROP_ERR(-ECONNREFUSED); if (peerlbl_active) { @@ -6022,14 +6026,14 @@ static unsigned int selinux_ip_postroute(void *priv, if (sel_netif_sid(se_state, state->net, ifindex, &if_sid)) return NF_DROP; - if (avc_has_perm(se_state, peer_sid, if_sid, - SECCLASS_NETIF, NETIF__EGRESS, &ad)) + if (selinux_state_has_perm(se_state, peer_sid, if_sid, + SECCLASS_NETIF, NETIF__EGRESS, &ad)) return NF_DROP_ERR(-ECONNREFUSED); if (sel_netnode_sid(se_state, addrp, family, &node_sid)) return NF_DROP; - if (avc_has_perm(se_state, peer_sid, node_sid, - SECCLASS_NODE, NODE__SENDTO, &ad)) + if (selinux_state_has_perm(se_state, peer_sid, node_sid, + SECCLASS_NODE, NODE__SENDTO, &ad)) return NF_DROP_ERR(-ECONNREFUSED); } @@ -6912,10 +6916,10 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) ibpkey.subnet_prefix = subnet_prefix; ibpkey.pkey = pkey_val; ad.u.ibpkey = &ibpkey; - return avc_has_perm(current_selinux_state, - sec->sid, sid, - SECCLASS_INFINIBAND_PKEY, - INFINIBAND_PKEY__ACCESS, &ad); + return selinux_state_has_perm(current_selinux_state, + sec->sid, sid, + SECCLASS_INFINIBAND_PKEY, + INFINIBAND_PKEY__ACCESS, &ad); } static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, @@ -6937,10 +6941,10 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, ibendport.dev_name = dev_name; ibendport.port = port_num; ad.u.ibendport = &ibendport; - return avc_has_perm(current_selinux_state, - sec->sid, sid, - SECCLASS_INFINIBAND_ENDPORT, - INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); + return selinux_state_has_perm(current_selinux_state, + sec->sid, sid, + SECCLASS_INFINIBAND_ENDPORT, + INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); } static int selinux_ib_alloc_security(void *ib_sec) @@ -7530,6 +7534,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { static void selinux_state_free(struct work_struct *work); int selinux_state_create(struct selinux_state *parent, + u32 creator_sid, struct selinux_state **state) { struct selinux_state *newstate; @@ -7539,6 +7544,8 @@ int selinux_state_create(struct selinux_state *parent, if (!newstate) return -ENOMEM; + newstate->creator_sid = creator_sid; + refcount_set(&newstate->count, 1); INIT_WORK(&newstate->work, selinux_state_free); @@ -7584,7 +7591,8 @@ static __init int selinux_init(void) { pr_info("SELinux: Initializing.\n"); - if (selinux_state_create(NULL, &init_selinux_state)) + if (selinux_state_create(NULL, SECINITSID_KERNEL, + &init_selinux_state)) panic("SELinux: Could not create initial namespace\n"); enforcing_set(init_selinux_state, selinux_enforcing_boot); diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 967848594270..95fed265071d 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -174,6 +174,10 @@ int cred_other_has_perm(const struct cred *cred, const struct cred *other, int task_obj_has_perm(const struct task_struct *s, const struct task_struct *t, u16 tclass, u32 requested, struct common_audit_data *ad); +int selinux_state_has_perm(struct selinux_state *state, u32 ssid, u32 tsid, + u16 tclass, u32 requested, + struct common_audit_data *ad); + u32 avc_policy_seqno(struct selinux_state *state); #define AVC_CALLBACK_GRANT 1 diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 261a6971f262..bf2d13227113 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -110,11 +110,12 @@ struct selinux_state { refcount_t count; struct work_struct work; + u32 creator_sid; /* SID of namespace creator */ } __randomize_layout; extern struct selinux_state *init_selinux_state; -int selinux_state_create(struct selinux_state *parent, +int selinux_state_create(struct selinux_state *parent, u32 creator_sid, struct selinux_state **state); void __put_selinux_state(struct selinux_state *state); diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index c3308a5c168d..8c159b88615f 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -367,7 +367,8 @@ static ssize_t sel_write_unshare(struct file *file, const char __user *buf, goto out; } tsec = selinux_cred(cred); - if (selinux_state_create(state, &tsec->state)) { + if (selinux_state_create(state, current_sid(), + &tsec->state)) { abort_creds(cred); length = -ENOMEM; goto out;

[RFC,25/44] selinux: introduce selinux_state_has_perm()

Commit Message

Patch