Commit 7335230c authored Jan 24, 2025 by Thiébaud Weksteen Committed by GONG Ruiqi Jan 24, 2025

selinux: ignore unknown extended permissions

stable inclusion
from stable-v6.6.70
commit c1dbd28a079553de0023e1c938c713efeeee400f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBJ6OD
CVE: CVE-2024-57931

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c1dbd28a079553de0023e1c938c713efeeee400f



--------------------------------

commit 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 upstream.

When evaluating extended permissions, ignore unknown permissions instead
of calling BUG(). This commit ensures that future permissions can be
added without interfering with older kernels.

Cc: stable@vger.kernel.org
Fixes: fa1aa143 ("selinux: extended permissions for ioctls")
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: GONG Ruiqi <gongruiqi1@huawei.com>

parent 1b973c5f

security/selinux/ss/services.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -956,7 +956,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
		xpermd->driver))
		return;
		} else {
		BUG();
		pr_warn_once(
		"SELinux: unknown extended permission (%u) will be ignored\n",
		node->datum.u.xperms->specified);
		return;
		}

		if (node->key.specified == AVTAB_XPERMS_ALLOWED) {
		@@ -993,7 +996,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
		node->datum.u.xperms->perms.p[i];
		}
		} else {
		BUG();
		pr_warn_once("SELinux: unknown specified key (%u)\n",
		node->key.specified);
		}
		}