@@ -1568,7 +1568,7 @@ int cred_tsid_has_perm_noaudit(const struct cred *cred, u32 tsid, u16 tclass,
}
/**
- * cred_ssid_has_perm - Check and audit permissions on a (ssid, tsid) pair
+ * cred_obj_has_perm - Check and audit permissions on a (ssid, tsid) pair
* @cred: subject credentials
* @ssid: source security identifier
* @tsid: target security identifier
@@ -1585,8 +1585,9 @@ int cred_tsid_has_perm_noaudit(const struct cred *cred, u32 tsid, u16 tclass,
* DO NOT USE when checking permissions involving cred/task SIDs; this
* helper is only for object-to-object checks.
*/
-int cred_ssid_has_perm(const struct cred *cred, u32 ssid, u32 tsid, u16 tclass,
- u32 requested, struct common_audit_data *ad)
+int cred_obj_has_perm(const struct cred *cred, u32 ssid, u32 tsid,
+ u16 tclass, u32 requested,
+ struct common_audit_data *ad)
{
struct task_security_struct *tsec;
struct selinux_state *state;
@@ -1605,6 +1606,58 @@ int cred_ssid_has_perm(const struct cred *cred, u32 ssid, u32 tsid, u16 tclass,
return 0;
}
+/**
+ * cred_ssid_has_perm - Check and audit permissions on a (ssid, tsid) pair
+ * @cred: subject credentials
+ * @ssid: source security identifier
+ * @tsid: target security identifier
+ * @tclass: target security class
+ * @requested: requested permissions, interpreted based on @tclass
+ * @auditdata: auxiliary audit data
+ *
+ * Check permissions between a source SID @ssid and a target SID @tsid for
+ * @cred's namespace and check between the parent cred's SID and %tsid
+ * for all ancestors to determine whether the @requested permissions are
+ * granted.
+ * Audit the granting or denial of permissions in accordance with the policy.
+ * Return %0 if all @requested permissions are granted, -%EACCES if any
+ * permissions are denied, or another -errno upon other errors.
+ * DO NOT USE when checking permissions involving cred/task SIDs; this
+ * helper is only for socket and IPC checks.
+ */
+int cred_ssid_has_perm(const struct cred *cred, u32 ssid, u32 tsid, u16 tclass,
+ u32 requested, struct common_audit_data *ad)
+{
+ struct task_security_struct *tsec;
+ struct selinux_state *state;
+ int rc;
+
+ /* Check using the provided ssid in the current namespace. */
+ tsec = selinux_cred(cred);
+ state = tsec->state;
+ rc = avc_has_perm(state, ssid, tsid, tclass, requested, ad);
+ if (rc)
+ return rc;
+
+ cred = tsec->parent_cred;
+ while (cred) {
+ /*
+ * In all ancestor namespaces, use the task SID from
+ * the corresponding credential as the subject SID.
+ */
+ tsec = selinux_cred(cred);
+ state = tsec->state;
+ ssid = tsec->sid;
+ rc = avc_has_perm(state, ssid, tsid, tclass, requested, ad);
+ if (rc)
+ return rc;
+
+ cred = tsec->parent_cred;
+ }
+
+ return 0;
+}
+
static u32 cred_sid_for_state(const struct cred *cred,
const struct selinux_state *state)
{
@@ -461,8 +461,8 @@ static int may_context_mount_inode_relabel(u32 sid,
if (rc)
return rc;
- return cred_ssid_has_perm(cred, sid, sbsec->sid, SECCLASS_FILESYSTEM,
- FILESYSTEM__ASSOCIATE, NULL);
+ return cred_obj_has_perm(cred, sid, sbsec->sid, SECCLASS_FILESYSTEM,
+ FILESYSTEM__ASSOCIATE, NULL);
}
static int selinux_is_genfs_special_handling(struct super_block *sb)
@@ -1833,9 +1833,9 @@ static int may_create(struct inode *dir,
if (rc)
return rc;
- return cred_ssid_has_perm(cred, newsid, sbsec->sid,
- SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE,
- &ad);
+ return cred_obj_has_perm(cred, newsid, sbsec->sid,
+ SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE,
+ &ad);
}
#define MAY_LINK 0
@@ -3353,9 +3353,9 @@ static int selinux_inode_setxattr(struct mnt_idmap *idmap,
if (rc)
return rc;
- return cred_ssid_has_perm(cred, newsid, sbsec->sid,
- SECCLASS_FILESYSTEM,
- FILESYSTEM__ASSOCIATE, &ad);
+ return cred_obj_has_perm(cred, newsid, sbsec->sid,
+ SECCLASS_FILESYSTEM,
+ FILESYSTEM__ASSOCIATE, &ad);
}
static int selinux_inode_set_acl(struct mnt_idmap *idmap,
@@ -164,6 +164,9 @@ int cred_tsid_has_perm(const struct cred *cred, u32 tsid, u16 tclass,
int cred_tsid_has_perm_noaudit(const struct cred *cred, u32 tsid, u16 tclass,
u32 requested, struct av_decision *avd);
+int cred_obj_has_perm(const struct cred *cred, u32 ssid, u32 tsid, u16 tclass,
+ u32 requested, struct common_audit_data *ad);
+
int cred_ssid_has_perm(const struct cred *cred, u32 ssid, u32 tsid, u16 tclass,
u32 requested, struct common_audit_data *ad);
Split cred_ssid_has_perm() into two separate functions, cred_obj_has_perm() to perform the namespace-aware checks for inter-object checks like associate, and cred_ssid_has_perm() to perform namespace-aware checks for socket and SysV IPC checks where the SSID is in fact derived from the creating task SID. Modify cred_ssid_has_perm() to only use the provided ssid for the initial check in the current namespace, and to instead use the task SID from the parent cred for each check against the ancestor namespaces. This ensures that socket and SysV IPC is correctly controlled in each namespace based on the task's SID/context in that namespace. We still need to determine whether peer labeling is correctly handled across different namespaces, and if not, to adapt appropriately. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> --- security/selinux/avc.c | 59 ++++++++++++++++++++++++++++++++-- security/selinux/hooks.c | 16 ++++----- security/selinux/include/avc.h | 3 ++ 3 files changed, 67 insertions(+), 11 deletions(-)