When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels.
Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Cc: stable@vger.kernel.org Signed-off-by: ThiƩbaud Weksteen tweek@google.com --- security/selinux/ss/services.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 971c45d576ba..2fa8aebcb2e5 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -979,7 +979,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, return; break; default: - BUG(); + // An unknown extended permission has been found. Ignore it. + return; }
if (node->key.specified == AVTAB_XPERMS_ALLOWED) {