| Message ID | 20250207033019.479292-2-paul@paul-moore.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | selinux: always check the file label in selinux_kernel_read_file() | expand |
On Feb 6, 2025 Paul Moore <paul@paul-moore.com> wrote: > > Commit 2039bda1fa8d ("LSM: Add "contents" flag to kernel_read_file hook") > added a new flag to the security_kernel_read_file() LSM hook, "contents", > which was set if a file was being read in its entirety or if it was the > first chunk read in a multi-step process. The SELinux LSM callback was > updated to only check against the file label if this "contents" flag was > set, meaning that in multi-step reads the file label was not considered > in the access control decision after the initial chunk. > > Thankfully the only in-tree user that performs a multi-step read is the > "bcm-vk" driver and it is loading firmware, not a kernel module, so there > are no security regressions to worry about. However, we still want to > ensure that the SELinux code does the right thing, and *always* checks > the file label, especially as there is a chance the file could change > between chunk reads. > > Fixes: 2039bda1fa8d ("LSM: Add "contents" flag to kernel_read_file hook") > Signed-off-by: Paul Moore <paul@paul-moore.com> > --- > security/selinux/hooks.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Merged into selinux/dev. -- paul-moore.com
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7b867dfec88b..a80e3f01153f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4134,7 +4134,7 @@ static int selinux_kernel_read_file(struct file *file, switch (id) { case READING_MODULE: - rc = selinux_kernel_module_from_file(contents ? file : NULL); + rc = selinux_kernel_module_from_file(file); break; default: break;
Commit 2039bda1fa8d ("LSM: Add "contents" flag to kernel_read_file hook") added a new flag to the security_kernel_read_file() LSM hook, "contents", which was set if a file was being read in its entirety or if it was the first chunk read in a multi-step process. The SELinux LSM callback was updated to only check against the file label if this "contents" flag was set, meaning that in multi-step reads the file label was not considered in the access control decision after the initial chunk. Thankfully the only in-tree user that performs a multi-step read is the "bcm-vk" driver and it is loading firmware, not a kernel module, so there are no security regressions to worry about. However, we still want to ensure that the SELinux code does the right thing, and *always* checks the file label, especially as there is a chance the file could change between chunk reads. Fixes: 2039bda1fa8d ("LSM: Add "contents" flag to kernel_read_file hook") Signed-off-by: Paul Moore <paul@paul-moore.com> --- security/selinux/hooks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)