SELinux: check seqno when updating an avc_node

The avc update node callbacks do not check the seqno of the caller with the seqno of the node found. It is possible that a policy change could happen (although almost impossibly unlikely) in which a permissive or permissive_domain decision is not valid for the entry found. Simply pass and check that the seqno of the caller and the seqno of the node found match. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>

SELinux: check seqno when updating an avc_node
The avc update node callbacks do not check the seqno of the caller with the seqno of the node found. It is possible that a policy change could happen (although almost impossibly unlikely) in which a permissive or permissive_domain decision is not valid for the entry found. Simply pass and check that the seqno of the caller and the seqno of the node found match. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Eric Paris · James Morris
1 parent 4cb912f1d1
Showing 1 changed file with 6 additions and 3 deletions Side-by-side Diff
security/selinux/avc.c
@@ -742,13 +742,15 @@
  * @event : Updating event
  * @perms : Permission mask bits
  * @ssid,@tsid,@tclass : identifier of an AVC entry
+ * @seqno : sequence number when decision was made
  *
  * if a valid AVC entry doesn't exist,this function returns -ENOENT.
  * if kmalloc() called internal returns NULL, this function returns -ENOMEM.
  * otherwise, this function update the AVC entry. The original AVC-entry object
  * will release later by RCU.
  */
-static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass)
+static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
+			   u32 seqno)
 {
 	int hvalue, rc = 0;
 	unsigned long flag;
@@ -767,7 +769,8 @@
 	list_for_each_entry(pos, &avc_cache.slots[hvalue], list) {
 		if (ssid == pos->ae.ssid &&
 		    tsid == pos->ae.tsid &&
-		    tclass == pos->ae.tclass){
+		    tclass == pos->ae.tclass &&
+		    seqno == pos->ae.avd.seqno){
 			orig = pos;
 			break;
 		}
@@ -908,7 +911,7 @@
 			rc = -EACCES;
 		else if (!selinux_enforcing || security_permissive_sid(ssid))
 			avc_update_node(AVC_CALLBACK_GRANT, requested, ssid,
-					tsid, tclass);
+					tsid, tclass, p_ae->avd.seqno);
 		else
 			rc = -EACCES;
 	}
...	...	@@ -742,13 +742,15 @@
742	742	* @event : Updating event
743	743	* @perms : Permission mask bits
744	744	* @ssid,@tsid,@tclass : identifier of an AVC entry
	745	+ * @seqno : sequence number when decision was made
745	746	*
746	747	* if a valid AVC entry doesn't exist,this function returns -ENOENT.
747	748	* if kmalloc() called internal returns NULL, this function returns -ENOMEM.
748	749	* otherwise, this function update the AVC entry. The original AVC-entry object
749	750	* will release later by RCU.
750	751	*/
751		-static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass)
	752	+static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
	753	+ u32 seqno)
752	754	{
753	755	int hvalue, rc = 0;
754	756	unsigned long flag;
...	...	@@ -767,7 +769,8 @@
767	769	list_for_each_entry(pos, &avc_cache.slots[hvalue], list) {
768	770	if (ssid == pos->ae.ssid &&
769	771	tsid == pos->ae.tsid &&
770		- tclass == pos->ae.tclass){
	772	+ tclass == pos->ae.tclass &&
	773	+ seqno == pos->ae.avd.seqno){
771	774	orig = pos;
772	775	break;
773	776	}
...	...	@@ -908,7 +911,7 @@
908	911	rc = -EACCES;
909	912	else if (!selinux_enforcing \|\| security_permissive_sid(ssid))
910	913	avc_update_node(AVC_CALLBACK_GRANT, requested, ssid,
911		- tsid, tclass);
	914	+ tsid, tclass, p_ae->avd.seqno);
912	915	else
913	916	rc = -EACCES;
914	917	}