When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels.
Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Cc: stable@vger.kernel.org Signed-off-by: Thiébaud Weksteen tweek@google.com --- v2: Add pr_warn_once, remove other BUG() call for key.specified
security/selinux/ss/services.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 971c45d576ba..3d5c563cfc4c 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -979,7 +979,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, return; break; default: - BUG(); + pr_warn_once( + "SELinux: unknown extended permission (%u) will be ignored\n", + node->datum.u.xperms->specified); + return; }
if (node->key.specified == AVTAB_XPERMS_ALLOWED) { @@ -998,7 +1001,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, &node->datum.u.xperms->perms, xpermd->dontaudit); } else { - BUG(); + pr_warn_once("SELinux: unknown specified key (%u)\n", + node->key.specified); } }
On Dec 4, 2024 "=?UTF-8?q?Thi=C3=A9baud=20Weksteen?=" tweek@google.com wrote:
When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels.
Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Cc: stable@vger.kernel.org Signed-off-by: Thiébaud Weksteen tweek@google.com
v2: Add pr_warn_once, remove other BUG() call for key.specified
security/selinux/ss/services.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
Merged into selinux/stable-6.13, thanks!
-- paul-moore.com
linux-stable-mirror@lists.linaro.org
-
Paul Moore -
Thiébaud Weksteen