6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: ThiƩbaud Weksteen tweek@google.com
commit 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 upstream.
When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels.
Cc: stable@vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: ThiƩbaud Weksteen tweek@google.com Signed-off-by: Paul Moore paul@paul-moore.com Acked-by: Paul Moore paul@paul-moore.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- security/selinux/ss/services.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
--- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -969,7 +969,10 @@ void services_compute_xperms_decision(st xpermd->driver)) return; } else { - BUG(); + pr_warn_once( + "SELinux: unknown extended permission (%u) will be ignored\n", + node->datum.u.xperms->specified); + return; }
if (node->key.specified == AVTAB_XPERMS_ALLOWED) { @@ -1006,7 +1009,8 @@ void services_compute_xperms_decision(st node->datum.u.xperms->perms.p[i]; } } else { - BUG(); + pr_warn_once("SELinux: unknown specified key (%u)\n", + node->key.specified); } }