On Wed, Jan 1, 2025 at 6:49 PM Thiébaud Weksteen tweek@google.com wrote:
commit 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 upstream.
When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels.
Cc: stable@vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Thiébaud Weksteen tweek@google.com Signed-off-by: Paul Moore paul@paul-moore.com (cherry picked from commit 900f83cf376bdaf798b6f5dcb2eae0c822e908b6)
security/selinux/ss/services.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
The backport looks good to me.
Acked-by: Paul Moore paul@paul-moore.com
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index a9830fbfc5c6..88850405ded9 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -955,7 +955,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, xpermd->driver)) return; } else {
BUG();
pr_warn_once("SELinux: unknown extended permission (%u) will be ignored\n",node->datum.u.xperms->specified);return; } if (node->key.specified == AVTAB_XPERMS_ALLOWED) {@@ -992,7 +995,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, node->datum.u.xperms->perms.p[i]; } } else {
BUG();
pr_warn_once("SELinux: unknown specified key (%u)\n",node->key.specified); }}
-- 2.47.1.613.gc27f4b7a9f-goog