On Wed, Sep 6, 2023 at 7:59 AM Alfred Piccioni alpic@google.com wrote:
Some ioctl commands do not require ioctl permission, but are routed to other permissions such as FILE_GETATTR or FILE_SETATTR. This routing is done by comparing the ioctl cmd to a set of 64-bit flags (FS_IOC_*).
However, if a 32-bit process is running on a 64-bit kernel, it emits 32-bit flags (FS_IOC32_*) for certain ioctl operations. These flags are being checked erroneously, which leads to these ioctl operations being routed to the ioctl permission, rather than the correct file permissions.
Two possible solutions exist:
Trim parameter "cmd" to a u16 so that only the last two bytes are checked in the case statement.
Explicitly add the FS_IOC32_* codes to the case statement.
Solution 2 was chosen because it is a minimal explicit change. Solution 1 is a more elegant change, but is less explicit, as the switch statement appears to only check the FS_IOC_* codes upon first reading.
Fixes: 0b24dcb7f2f7 ("Revert "selinux: simplify ioctl checking"") Signed-off-by: Alfred Piccioni alpic@google.com Cc: stable@vger.kernel.org
Reviewed-by: Stephen Smalley stephen.smalley.work@gmail.com
V1->V2: Cleaned up some typos and added tag for -stable tree inclusion.
security/selinux/hooks.c | 4 ++++ 1 file changed, 4 insertions(+)