FAILED: patch "[PATCH] selinux: ignore unknown extended permissions" failed to apply to 6.12-stable tree
The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2024122319-risk-starlit-ce4a@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= tweek@google.com Date: Thu, 5 Dec 2024 12:09:19 +1100 Subject: [PATCH] selinux: ignore unknown extended permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels.
Cc: stable@vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Thiébaud Weksteen tweek@google.com Signed-off-by: Paul Moore paul@paul-moore.com
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 971c45d576ba..3d5c563cfc4c 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -979,7 +979,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, return; break; default: - BUG(); + pr_warn_once( + "SELinux: unknown extended permission (%u) will be ignored\n", + node->datum.u.xperms->specified); + return; }
if (node->key.specified == AVTAB_XPERMS_ALLOWED) { @@ -998,7 +1001,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, &node->datum.u.xperms->perms, xpermd->dontaudit); } else { - BUG(); + pr_warn_once("SELinux: unknown specified key (%u)\n", + node->key.specified); } }
commit 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 upstream.
When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels.
Cc: stable@vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Thiébaud Weksteen tweek@google.com Signed-off-by: Paul Moore paul@paul-moore.com (cherry picked from commit 900f83cf376bdaf798b6f5dcb2eae0c822e908b6) --- security/selinux/ss/services.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index a9830fbfc5c6..88850405ded9 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -955,7 +955,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, xpermd->driver)) return; } else { - BUG(); + pr_warn_once( + "SELinux: unknown extended permission (%u) will be ignored\n", + node->datum.u.xperms->specified); + return; }
if (node->key.specified == AVTAB_XPERMS_ALLOWED) { @@ -992,7 +995,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, node->datum.u.xperms->perms.p[i]; } } else { - BUG(); + pr_warn_once("SELinux: unknown specified key (%u)\n", + node->key.specified); } }
On Wed, Jan 1, 2025 at 6:49 PM Thiébaud Weksteen tweek@google.com wrote:
commit 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 upstream.
When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels.
Cc: stable@vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Thiébaud Weksteen tweek@google.com Signed-off-by: Paul Moore paul@paul-moore.com (cherry picked from commit 900f83cf376bdaf798b6f5dcb2eae0c822e908b6)
security/selinux/ss/services.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
The backport looks good to me.
Acked-by: Paul Moore paul@paul-moore.com
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index a9830fbfc5c6..88850405ded9 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -955,7 +955,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, xpermd->driver)) return; } else {
BUG();
pr_warn_once("SELinux: unknown extended permission (%u) will be ignored\n",node->datum.u.xperms->specified);return; } if (node->key.specified == AVTAB_XPERMS_ALLOWED) {@@ -992,7 +995,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, node->datum.u.xperms->perms.p[i]; } } else {
BUG();
pr_warn_once("SELinux: unknown specified key (%u)\n",node->key.specified); }}
-- 2.47.1.613.gc27f4b7a9f-goog
linux-stable-mirror@lists.linaro.org
-
gregkh@linuxfoundation.org -
Paul Moore -
Thiébaud Weksteen