tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'selinux-pr-20251121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux fixes from Paul Moore:
"Three SELinux patches for v6.18 to fix issues around accessing the
per-task decision cache that we introduced in v6.16 to help reduce
SELinux overhead on path walks. The problem was that despite the cache
being located in the SELinux "task_security_struct", the parent struct
wasn't actually tied to the task, it was tied to a cred.

Historically SELinux did locate the task_security_struct in the
task_struct's security blob, but it was later relocated to the cred
struct when the cred work happened, as it made the most sense at the
time.

Unfortunately we never did the task_security_struct to
cred_security_struct rename work (avoid code churn maybe? who knows)
because it didn't really matter at the time. However, it suddenly
became a problem when we added a per-task cache to a per-cred object
and didn't notice because of the old, no-longer-correct struct naming.

Thanks to KCSAN for flagging this, as the silly humans running things
forgot that the task_security_struct was a big lie.

This contains three patches, only one of which actually fixes the
problem described above and moves the SELinux decision cache from the
per-cred struct to a newly (re)created per-task struct.

The other two patches, which form the bulk of the diffstat, take care
of the associated renaming tasks so we can hopefully avoid making the
same stupid mistake in the future.

For the record, I did contemplate sending just a fix for the cache,
leaving the renaming patches for the upcoming merge window, but the
type/variable naming ended up being pretty awful and would have made
v6.18 an outlier stuck between the "old" names and the "new" names in
v6.19. The renaming patches are also fairly mechanical/trivial and
shouldn't pose much risk despite their size.

TLDR; naming things may be hard, but if you mess it up bad things
happen"

* tag 'selinux-pr-20251121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: rename the cred_security_struct variables to "crsec"
selinux: move avdcache to per-task security struct
selinux: rename task_security_struct to cred_security_struct

Linus Torvalds 5703357e 2eba5e05

+144 -129
+128 -123
security/selinux/hooks.c
··· 210 210 */ 211 211 static void cred_init_security(void) 212 212 { 213 - struct task_security_struct *tsec; 213 + struct cred_security_struct *crsec; 214 214 215 215 /* NOTE: the lsm framework zeros out the buffer on allocation */ 216 216 217 - tsec = selinux_cred(unrcu_pointer(current->real_cred)); 218 - tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL; 217 + crsec = selinux_cred(unrcu_pointer(current->real_cred)); 218 + crsec->osid = crsec->sid = SECINITSID_KERNEL; 219 219 } 220 220 221 221 /* ··· 223 223 */ 224 224 static inline u32 cred_sid(const struct cred *cred) 225 225 { 226 - const struct task_security_struct *tsec; 226 + const struct cred_security_struct *crsec; 227 227 228 - tsec = selinux_cred(cred); 229 - return tsec->sid; 228 + crsec = selinux_cred(cred); 229 + return crsec->sid; 230 230 } 231 231 232 232 static void __ad_net_init(struct common_audit_data *ad, ··· 437 437 struct superblock_security_struct *sbsec, 438 438 const struct cred *cred) 439 439 { 440 - const struct task_security_struct *tsec = selinux_cred(cred); 440 + const struct cred_security_struct *crsec = selinux_cred(cred); 441 441 int rc; 442 442 443 - rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 443 + rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 444 444 FILESYSTEM__RELABELFROM, NULL); 445 445 if (rc) 446 446 return rc; 447 447 448 - rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 448 + rc = avc_has_perm(crsec->sid, sid, SECCLASS_FILESYSTEM, 449 449 FILESYSTEM__RELABELTO, NULL); 450 450 return rc; 451 451 } ··· 454 454 struct superblock_security_struct *sbsec, 455 455 const struct cred *cred) 456 456 { 457 - const struct task_security_struct *tsec = selinux_cred(cred); 457 + const struct cred_security_struct *crsec = selinux_cred(cred); 458 458 int rc; 459 - rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 459 + rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 460 460 FILESYSTEM__RELABELFROM, NULL); 461 461 if (rc) 462 462 return rc; ··· 1788 1788 * Determine the label for an inode that might be unioned. 1789 1789 */ 1790 1790 static int 1791 - selinux_determine_inode_label(const struct task_security_struct *tsec, 1791 + selinux_determine_inode_label(const struct cred_security_struct *crsec, 1792 1792 struct inode *dir, 1793 1793 const struct qstr *name, u16 tclass, 1794 1794 u32 *_new_isid) ··· 1800 1800 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1801 1801 *_new_isid = sbsec->mntpoint_sid; 1802 1802 } else if ((sbsec->flags & SBLABEL_MNT) && 1803 - tsec->create_sid) { 1804 - *_new_isid = tsec->create_sid; 1803 + crsec->create_sid) { 1804 + *_new_isid = crsec->create_sid; 1805 1805 } else { 1806 1806 const struct inode_security_struct *dsec = inode_security(dir); 1807 - return security_transition_sid(tsec->sid, 1807 + return security_transition_sid(crsec->sid, 1808 1808 dsec->sid, tclass, 1809 1809 name, _new_isid); 1810 1810 } ··· 1817 1817 struct dentry *dentry, 1818 1818 u16 tclass) 1819 1819 { 1820 - const struct task_security_struct *tsec = selinux_cred(current_cred()); 1820 + const struct cred_security_struct *crsec = selinux_cred(current_cred()); 1821 1821 struct inode_security_struct *dsec; 1822 1822 struct superblock_security_struct *sbsec; 1823 1823 u32 sid, newsid; ··· 1827 1827 dsec = inode_security(dir); 1828 1828 sbsec = selinux_superblock(dir->i_sb); 1829 1829 1830 - sid = tsec->sid; 1830 + sid = crsec->sid; 1831 1831 1832 1832 ad.type = LSM_AUDIT_DATA_DENTRY; 1833 1833 ad.u.dentry = dentry; ··· 1838 1838 if (rc) 1839 1839 return rc; 1840 1840 1841 - rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, 1841 + rc = selinux_determine_inode_label(crsec, dir, &dentry->d_name, tclass, 1842 1842 &newsid); 1843 1843 if (rc) 1844 1844 return rc; ··· 2251 2251 } 2252 2252 2253 2253 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2254 - const struct task_security_struct *old_tsec, 2255 - const struct task_security_struct *new_tsec) 2254 + const struct cred_security_struct *old_crsec, 2255 + const struct cred_security_struct *new_crsec) 2256 2256 { 2257 2257 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2258 2258 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); ··· 2262 2262 if (!nnp && !nosuid) 2263 2263 return 0; /* neither NNP nor nosuid */ 2264 2264 2265 - if (new_tsec->sid == old_tsec->sid) 2265 + if (new_crsec->sid == old_crsec->sid) 2266 2266 return 0; /* No change in credentials */ 2267 2267 2268 2268 /* ··· 2277 2277 av |= PROCESS2__NNP_TRANSITION; 2278 2278 if (nosuid) 2279 2279 av |= PROCESS2__NOSUID_TRANSITION; 2280 - rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2280 + rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2281 2281 SECCLASS_PROCESS2, av, NULL); 2282 2282 if (!rc) 2283 2283 return 0; ··· 2288 2288 * i.e. SIDs that are guaranteed to only be allowed a subset 2289 2289 * of the permissions of the current SID. 2290 2290 */ 2291 - rc = security_bounded_transition(old_tsec->sid, 2292 - new_tsec->sid); 2291 + rc = security_bounded_transition(old_crsec->sid, 2292 + new_crsec->sid); 2293 2293 if (!rc) 2294 2294 return 0; 2295 2295 ··· 2305 2305 2306 2306 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) 2307 2307 { 2308 - const struct task_security_struct *old_tsec; 2309 - struct task_security_struct *new_tsec; 2308 + const struct cred_security_struct *old_crsec; 2309 + struct cred_security_struct *new_crsec; 2310 2310 struct inode_security_struct *isec; 2311 2311 struct common_audit_data ad; 2312 2312 struct inode *inode = file_inode(bprm->file); ··· 2315 2315 /* SELinux context only depends on initial program or script and not 2316 2316 * the script interpreter */ 2317 2317 2318 - old_tsec = selinux_cred(current_cred()); 2319 - new_tsec = selinux_cred(bprm->cred); 2318 + old_crsec = selinux_cred(current_cred()); 2319 + new_crsec = selinux_cred(bprm->cred); 2320 2320 isec = inode_security(inode); 2321 2321 2322 2322 /* Default to the current task SID. */ 2323 - new_tsec->sid = old_tsec->sid; 2324 - new_tsec->osid = old_tsec->sid; 2323 + new_crsec->sid = old_crsec->sid; 2324 + new_crsec->osid = old_crsec->sid; 2325 2325 2326 2326 /* Reset fs, key, and sock SIDs on execve. */ 2327 - new_tsec->create_sid = 0; 2328 - new_tsec->keycreate_sid = 0; 2329 - new_tsec->sockcreate_sid = 0; 2327 + new_crsec->create_sid = 0; 2328 + new_crsec->keycreate_sid = 0; 2329 + new_crsec->sockcreate_sid = 0; 2330 2330 2331 2331 /* 2332 2332 * Before policy is loaded, label any task outside kernel space ··· 2335 2335 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). 2336 2336 */ 2337 2337 if (!selinux_initialized()) { 2338 - new_tsec->sid = SECINITSID_INIT; 2338 + new_crsec->sid = SECINITSID_INIT; 2339 2339 /* also clear the exec_sid just in case */ 2340 - new_tsec->exec_sid = 0; 2340 + new_crsec->exec_sid = 0; 2341 2341 return 0; 2342 2342 } 2343 2343 2344 - if (old_tsec->exec_sid) { 2345 - new_tsec->sid = old_tsec->exec_sid; 2344 + if (old_crsec->exec_sid) { 2345 + new_crsec->sid = old_crsec->exec_sid; 2346 2346 /* Reset exec SID on execve. */ 2347 - new_tsec->exec_sid = 0; 2347 + new_crsec->exec_sid = 0; 2348 2348 2349 2349 /* Fail on NNP or nosuid if not an allowed transition. */ 2350 - rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2350 + rc = check_nnp_nosuid(bprm, old_crsec, new_crsec); 2351 2351 if (rc) 2352 2352 return rc; 2353 2353 } else { 2354 2354 /* Check for a default transition on this program. */ 2355 - rc = security_transition_sid(old_tsec->sid, 2355 + rc = security_transition_sid(old_crsec->sid, 2356 2356 isec->sid, SECCLASS_PROCESS, NULL, 2357 - &new_tsec->sid); 2357 + &new_crsec->sid); 2358 2358 if (rc) 2359 2359 return rc; 2360 2360 ··· 2362 2362 * Fallback to old SID on NNP or nosuid if not an allowed 2363 2363 * transition. 2364 2364 */ 2365 - rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2365 + rc = check_nnp_nosuid(bprm, old_crsec, new_crsec); 2366 2366 if (rc) 2367 - new_tsec->sid = old_tsec->sid; 2367 + new_crsec->sid = old_crsec->sid; 2368 2368 } 2369 2369 2370 2370 ad.type = LSM_AUDIT_DATA_FILE; 2371 2371 ad.u.file = bprm->file; 2372 2372 2373 - if (new_tsec->sid == old_tsec->sid) { 2374 - rc = avc_has_perm(old_tsec->sid, isec->sid, 2373 + if (new_crsec->sid == old_crsec->sid) { 2374 + rc = avc_has_perm(old_crsec->sid, isec->sid, 2375 2375 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2376 2376 if (rc) 2377 2377 return rc; 2378 2378 } else { 2379 2379 /* Check permissions for the transition. */ 2380 - rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2380 + rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2381 2381 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2382 2382 if (rc) 2383 2383 return rc; 2384 2384 2385 - rc = avc_has_perm(new_tsec->sid, isec->sid, 2385 + rc = avc_has_perm(new_crsec->sid, isec->sid, 2386 2386 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2387 2387 if (rc) 2388 2388 return rc; 2389 2389 2390 2390 /* Check for shared state */ 2391 2391 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2392 - rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2392 + rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2393 2393 SECCLASS_PROCESS, PROCESS__SHARE, 2394 2394 NULL); 2395 2395 if (rc) ··· 2401 2401 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2402 2402 u32 ptsid = ptrace_parent_sid(); 2403 2403 if (ptsid != 0) { 2404 - rc = avc_has_perm(ptsid, new_tsec->sid, 2404 + rc = avc_has_perm(ptsid, new_crsec->sid, 2405 2405 SECCLASS_PROCESS, 2406 2406 PROCESS__PTRACE, NULL); 2407 2407 if (rc) ··· 2415 2415 /* Enable secure mode for SIDs transitions unless 2416 2416 the noatsecure permission is granted between 2417 2417 the two SIDs, i.e. ahp returns 0. */ 2418 - rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2418 + rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2419 2419 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2420 2420 NULL); 2421 2421 bprm->secureexec |= !!rc; ··· 2483 2483 */ 2484 2484 static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) 2485 2485 { 2486 - struct task_security_struct *new_tsec; 2486 + struct cred_security_struct *new_crsec; 2487 2487 struct rlimit *rlim, *initrlim; 2488 2488 int rc, i; 2489 2489 2490 - new_tsec = selinux_cred(bprm->cred); 2491 - if (new_tsec->sid == new_tsec->osid) 2490 + new_crsec = selinux_cred(bprm->cred); 2491 + if (new_crsec->sid == new_crsec->osid) 2492 2492 return; 2493 2493 2494 2494 /* Close files for which the new task SID is not authorized. */ ··· 2507 2507 * higher than the default soft limit for cases where the default is 2508 2508 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2509 2509 */ 2510 - rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2510 + rc = avc_has_perm(new_crsec->osid, new_crsec->sid, SECCLASS_PROCESS, 2511 2511 PROCESS__RLIMITINH, NULL); 2512 2512 if (rc) { 2513 2513 /* protect against do_prlimit() */ ··· 2529 2529 */ 2530 2530 static void selinux_bprm_committed_creds(const struct linux_binprm *bprm) 2531 2531 { 2532 - const struct task_security_struct *tsec = selinux_cred(current_cred()); 2532 + const struct cred_security_struct *crsec = selinux_cred(current_cred()); 2533 2533 u32 osid, sid; 2534 2534 int rc; 2535 2535 2536 - osid = tsec->osid; 2537 - sid = tsec->sid; 2536 + osid = crsec->osid; 2537 + sid = crsec->sid; 2538 2538 2539 2539 if (sid == osid) 2540 2540 return; ··· 2911 2911 { 2912 2912 u32 newsid; 2913 2913 int rc; 2914 - struct task_security_struct *tsec; 2914 + struct cred_security_struct *crsec; 2915 2915 2916 2916 rc = selinux_determine_inode_label(selinux_cred(old), 2917 2917 d_inode(dentry->d_parent), name, ··· 2920 2920 if (rc) 2921 2921 return rc; 2922 2922 2923 - tsec = selinux_cred(new); 2924 - tsec->create_sid = newsid; 2923 + crsec = selinux_cred(new); 2924 + crsec->create_sid = newsid; 2925 2925 return 0; 2926 2926 } 2927 2927 ··· 2929 2929 const struct qstr *qstr, 2930 2930 struct xattr *xattrs, int *xattr_count) 2931 2931 { 2932 - const struct task_security_struct *tsec = selinux_cred(current_cred()); 2932 + const struct cred_security_struct *crsec = selinux_cred(current_cred()); 2933 2933 struct superblock_security_struct *sbsec; 2934 2934 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 2935 2935 u32 newsid, clen; ··· 2939 2939 2940 2940 sbsec = selinux_superblock(dir->i_sb); 2941 2941 2942 - newsid = tsec->create_sid; 2942 + newsid = crsec->create_sid; 2943 2943 newsclass = inode_mode_to_security_class(inode->i_mode); 2944 - rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid); 2944 + rc = selinux_determine_inode_label(crsec, dir, qstr, newsclass, &newsid); 2945 2945 if (rc) 2946 2946 return rc; 2947 2947 ··· 3113 3113 static inline void task_avdcache_reset(struct task_security_struct *tsec) 3114 3114 { 3115 3115 memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir)); 3116 - tsec->avdcache.sid = tsec->sid; 3116 + tsec->avdcache.sid = current_sid(); 3117 3117 tsec->avdcache.seqno = avc_policy_seqno(); 3118 3118 tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1; 3119 3119 } ··· 3137 3137 if (isec->sclass != SECCLASS_DIR) 3138 3138 return -ENOENT; 3139 3139 3140 - if (unlikely(tsec->sid != tsec->avdcache.sid || 3140 + if (unlikely(current_sid() != tsec->avdcache.sid || 3141 3141 tsec->avdcache.seqno != avc_policy_seqno())) { 3142 3142 task_avdcache_reset(tsec); 3143 3143 return -ENOENT; ··· 3201 3201 { 3202 3202 int mask; 3203 3203 u32 perms; 3204 + u32 sid = current_sid(); 3204 3205 struct task_security_struct *tsec; 3205 3206 struct inode_security_struct *isec; 3206 3207 struct avdc_entry *avdc; ··· 3214 3213 if (!mask) 3215 3214 return 0; 3216 3215 3217 - tsec = selinux_cred(current_cred()); 3218 - if (task_avdcache_permnoaudit(tsec)) 3216 + tsec = selinux_task(current); 3217 + if (task_avdcache_permnoaudit(tsec, sid)) 3219 3218 return 0; 3220 3219 3221 3220 isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK); ··· 3235 3234 struct av_decision avd; 3236 3235 3237 3236 /* Cache miss. */ 3238 - rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass, 3237 + rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, 3239 3238 perms, 0, &avd); 3240 3239 audited = avc_audit_required(perms, &avd, rc, 3241 3240 (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0, ··· 3286 3285 { 3287 3286 struct task_security_struct *tsec; 3288 3287 3289 - tsec = selinux_cred(current_cred()); 3288 + tsec = selinux_task(current); 3290 3289 3291 - if (task_avdcache_permnoaudit(tsec)) 3290 + if (task_avdcache_permnoaudit(tsec, current_sid())) 3292 3291 return 0; 3293 3292 3294 3293 return path_has_perm(current_cred(), path, FILE__GETATTR); ··· 3660 3659 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3661 3660 { 3662 3661 struct lsm_prop prop; 3663 - struct task_security_struct *tsec; 3662 + struct cred_security_struct *crsec; 3664 3663 struct cred *new_creds = *new; 3665 3664 3666 3665 if (new_creds == NULL) { ··· 3669 3668 return -ENOMEM; 3670 3669 } 3671 3670 3672 - tsec = selinux_cred(new_creds); 3671 + crsec = selinux_cred(new_creds); 3673 3672 /* Get label from overlay inode and set it in create_sid */ 3674 3673 selinux_inode_getlsmprop(d_inode(src), &prop); 3675 - tsec->create_sid = prop.selinux.secid; 3674 + crsec->create_sid = prop.selinux.secid; 3676 3675 *new = new_creds; 3677 3676 return 0; 3678 3677 } ··· 3698 3697 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3699 3698 struct kernfs_node *kn) 3700 3699 { 3701 - const struct task_security_struct *tsec = selinux_cred(current_cred()); 3700 + const struct cred_security_struct *crsec = selinux_cred(current_cred()); 3702 3701 u32 parent_sid, newsid, clen; 3703 3702 int rc; 3704 3703 char *context; ··· 3726 3725 if (rc) 3727 3726 return rc; 3728 3727 3729 - if (tsec->create_sid) { 3730 - newsid = tsec->create_sid; 3728 + if (crsec->create_sid) { 3729 + newsid = crsec->create_sid; 3731 3730 } else { 3732 3731 u16 secclass = inode_mode_to_security_class(kn->mode); 3733 3732 const char *kn_name; ··· 3738 3737 q.name = kn_name; 3739 3738 q.hash_len = hashlen_string(kn_dir, kn_name); 3740 3739 3741 - rc = security_transition_sid(tsec->sid, 3740 + rc = security_transition_sid(crsec->sid, 3742 3741 parent_sid, secclass, &q, 3743 3742 &newsid); 3744 3743 if (rc) ··· 4152 4151 u64 clone_flags) 4153 4152 { 4154 4153 u32 sid = current_sid(); 4154 + struct task_security_struct *old_tsec = selinux_task(current); 4155 + struct task_security_struct *new_tsec = selinux_task(task); 4155 4156 4157 + *new_tsec = *old_tsec; 4156 4158 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 4157 4159 } 4158 4160 ··· 4165 4161 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 4166 4162 gfp_t gfp) 4167 4163 { 4168 - const struct task_security_struct *old_tsec = selinux_cred(old); 4169 - struct task_security_struct *tsec = selinux_cred(new); 4164 + const struct cred_security_struct *old_crsec = selinux_cred(old); 4165 + struct cred_security_struct *crsec = selinux_cred(new); 4170 4166 4171 - *tsec = *old_tsec; 4167 + *crsec = *old_crsec; 4172 4168 return 0; 4173 4169 } 4174 4170 ··· 4177 4173 */ 4178 4174 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 4179 4175 { 4180 - const struct task_security_struct *old_tsec = selinux_cred(old); 4181 - struct task_security_struct *tsec = selinux_cred(new); 4176 + const struct cred_security_struct *old_crsec = selinux_cred(old); 4177 + struct cred_security_struct *crsec = selinux_cred(new); 4182 4178 4183 - *tsec = *old_tsec; 4179 + *crsec = *old_crsec; 4184 4180 } 4185 4181 4186 4182 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) ··· 4199 4195 */ 4200 4196 static int selinux_kernel_act_as(struct cred *new, u32 secid) 4201 4197 { 4202 - struct task_security_struct *tsec = selinux_cred(new); 4198 + struct cred_security_struct *crsec = selinux_cred(new); 4203 4199 u32 sid = current_sid(); 4204 4200 int ret; 4205 4201 ··· 4208 4204 KERNEL_SERVICE__USE_AS_OVERRIDE, 4209 4205 NULL); 4210 4206 if (ret == 0) { 4211 - tsec->sid = secid; 4212 - tsec->create_sid = 0; 4213 - tsec->keycreate_sid = 0; 4214 - tsec->sockcreate_sid = 0; 4207 + crsec->sid = secid; 4208 + crsec->create_sid = 0; 4209 + crsec->keycreate_sid = 0; 4210 + crsec->sockcreate_sid = 0; 4215 4211 } 4216 4212 return ret; 4217 4213 } ··· 4223 4219 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 4224 4220 { 4225 4221 struct inode_security_struct *isec = inode_security(inode); 4226 - struct task_security_struct *tsec = selinux_cred(new); 4222 + struct cred_security_struct *crsec = selinux_cred(new); 4227 4223 u32 sid = current_sid(); 4228 4224 int ret; 4229 4225 ··· 4233 4229 NULL); 4234 4230 4235 4231 if (ret == 0) 4236 - tsec->create_sid = isec->sid; 4232 + crsec->create_sid = isec->sid; 4237 4233 return ret; 4238 4234 } 4239 4235 ··· 4748 4744 4749 4745 /* socket security operations */ 4750 4746 4751 - static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4747 + static int socket_sockcreate_sid(const struct cred_security_struct *crsec, 4752 4748 u16 secclass, u32 *socksid) 4753 4749 { 4754 - if (tsec->sockcreate_sid > SECSID_NULL) { 4755 - *socksid = tsec->sockcreate_sid; 4750 + if (crsec->sockcreate_sid > SECSID_NULL) { 4751 + *socksid = crsec->sockcreate_sid; 4756 4752 return 0; 4757 4753 } 4758 4754 4759 - return security_transition_sid(tsec->sid, tsec->sid, 4755 + return security_transition_sid(crsec->sid, crsec->sid, 4760 4756 secclass, NULL, socksid); 4761 4757 } 4762 4758 ··· 4801 4797 static int selinux_socket_create(int family, int type, 4802 4798 int protocol, int kern) 4803 4799 { 4804 - const struct task_security_struct *tsec = selinux_cred(current_cred()); 4800 + const struct cred_security_struct *crsec = selinux_cred(current_cred()); 4805 4801 u32 newsid; 4806 4802 u16 secclass; 4807 4803 int rc; ··· 4810 4806 return 0; 4811 4807 4812 4808 secclass = socket_type_to_security_class(family, type, protocol); 4813 - rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4809 + rc = socket_sockcreate_sid(crsec, secclass, &newsid); 4814 4810 if (rc) 4815 4811 return rc; 4816 4812 4817 - return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4813 + return avc_has_perm(crsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4818 4814 } 4819 4815 4820 4816 static int selinux_socket_post_create(struct socket *sock, int family, 4821 4817 int type, int protocol, int kern) 4822 4818 { 4823 - const struct task_security_struct *tsec = selinux_cred(current_cred()); 4819 + const struct cred_security_struct *crsec = selinux_cred(current_cred()); 4824 4820 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4825 4821 struct sk_security_struct *sksec; 4826 4822 u16 sclass = socket_type_to_security_class(family, type, protocol); ··· 4828 4824 int err = 0; 4829 4825 4830 4826 if (!kern) { 4831 - err = socket_sockcreate_sid(tsec, sclass, &sid); 4827 + err = socket_sockcreate_sid(crsec, sclass, &sid); 4832 4828 if (err) 4833 4829 return err; 4834 4830 } ··· 6530 6526 static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, 6531 6527 char **value) 6532 6528 { 6533 - const struct task_security_struct *tsec; 6529 + const struct cred_security_struct *crsec; 6534 6530 int error; 6535 6531 u32 sid; 6536 6532 u32 len; 6537 6533 6538 6534 rcu_read_lock(); 6539 - tsec = selinux_cred(__task_cred(p)); 6535 + crsec = selinux_cred(__task_cred(p)); 6540 6536 if (p != current) { 6541 - error = avc_has_perm(current_sid(), tsec->sid, 6537 + error = avc_has_perm(current_sid(), crsec->sid, 6542 6538 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6543 6539 if (error) 6544 6540 goto err_unlock; 6545 6541 } 6546 6542 switch (attr) { 6547 6543 case LSM_ATTR_CURRENT: 6548 - sid = tsec->sid; 6544 + sid = crsec->sid; 6549 6545 break; 6550 6546 case LSM_ATTR_PREV: 6551 - sid = tsec->osid; 6547 + sid = crsec->osid; 6552 6548 break; 6553 6549 case LSM_ATTR_EXEC: 6554 - sid = tsec->exec_sid; 6550 + sid = crsec->exec_sid; 6555 6551 break; 6556 6552 case LSM_ATTR_FSCREATE: 6557 - sid = tsec->create_sid; 6553 + sid = crsec->create_sid; 6558 6554 break; 6559 6555 case LSM_ATTR_KEYCREATE: 6560 - sid = tsec->keycreate_sid; 6556 + sid = crsec->keycreate_sid; 6561 6557 break; 6562 6558 case LSM_ATTR_SOCKCREATE: 6563 - sid = tsec->sockcreate_sid; 6559 + sid = crsec->sockcreate_sid; 6564 6560 break; 6565 6561 default: 6566 6562 error = -EOPNOTSUPP; ··· 6585 6581 6586 6582 static int selinux_lsm_setattr(u64 attr, void *value, size_t size) 6587 6583 { 6588 - struct task_security_struct *tsec; 6584 + struct cred_security_struct *crsec; 6589 6585 struct cred *new; 6590 6586 u32 mysid = current_sid(), sid = 0, ptsid; 6591 6587 int error; ··· 6671 6667 operation. See selinux_bprm_creds_for_exec for the execve 6672 6668 checks and may_create for the file creation checks. The 6673 6669 operation will then fail if the context is not permitted. */ 6674 - tsec = selinux_cred(new); 6670 + crsec = selinux_cred(new); 6675 6671 if (attr == LSM_ATTR_EXEC) { 6676 - tsec->exec_sid = sid; 6672 + crsec->exec_sid = sid; 6677 6673 } else if (attr == LSM_ATTR_FSCREATE) { 6678 - tsec->create_sid = sid; 6674 + crsec->create_sid = sid; 6679 6675 } else if (attr == LSM_ATTR_KEYCREATE) { 6680 6676 if (sid) { 6681 6677 error = avc_has_perm(mysid, sid, ··· 6683 6679 if (error) 6684 6680 goto abort_change; 6685 6681 } 6686 - tsec->keycreate_sid = sid; 6682 + crsec->keycreate_sid = sid; 6687 6683 } else if (attr == LSM_ATTR_SOCKCREATE) { 6688 - tsec->sockcreate_sid = sid; 6684 + crsec->sockcreate_sid = sid; 6689 6685 } else if (attr == LSM_ATTR_CURRENT) { 6690 6686 error = -EINVAL; 6691 6687 if (sid == 0) 6692 6688 goto abort_change; 6693 6689 6694 6690 if (!current_is_single_threaded()) { 6695 - error = security_bounded_transition(tsec->sid, sid); 6691 + error = security_bounded_transition(crsec->sid, sid); 6696 6692 if (error) 6697 6693 goto abort_change; 6698 6694 } 6699 6695 6700 6696 /* Check permissions for the transition. */ 6701 - error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6697 + error = avc_has_perm(crsec->sid, sid, SECCLASS_PROCESS, 6702 6698 PROCESS__DYNTRANSITION, NULL); 6703 6699 if (error) 6704 6700 goto abort_change; ··· 6713 6709 goto abort_change; 6714 6710 } 6715 6711 6716 - tsec->sid = sid; 6712 + crsec->sid = sid; 6717 6713 } else { 6718 6714 error = -EINVAL; 6719 6715 goto abort_change; ··· 6880 6876 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6881 6877 unsigned long flags) 6882 6878 { 6883 - const struct task_security_struct *tsec; 6879 + const struct cred_security_struct *crsec; 6884 6880 struct key_security_struct *ksec = selinux_key(k); 6885 6881 6886 - tsec = selinux_cred(cred); 6887 - if (tsec->keycreate_sid) 6888 - ksec->sid = tsec->keycreate_sid; 6882 + crsec = selinux_cred(cred); 6883 + if (crsec->keycreate_sid) 6884 + ksec->sid = crsec->keycreate_sid; 6889 6885 else 6890 - ksec->sid = tsec->sid; 6886 + ksec->sid = crsec->sid; 6891 6887 6892 6888 return 0; 6893 6889 } ··· 7141 7137 #endif 7142 7138 7143 7139 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { 7144 - .lbs_cred = sizeof(struct task_security_struct), 7140 + .lbs_cred = sizeof(struct cred_security_struct), 7141 + .lbs_task = sizeof(struct task_security_struct), 7145 7142 .lbs_file = sizeof(struct file_security_struct), 7146 7143 .lbs_inode = sizeof(struct inode_security_struct), 7147 7144 .lbs_ipc = sizeof(struct ipc_security_struct),
+16 -6
security/selinux/include/objsec.h
··· 37 37 bool permissive; /* AVC permissive flag */ 38 38 }; 39 39 40 - struct task_security_struct { 40 + struct cred_security_struct { 41 41 u32 osid; /* SID prior to last execve */ 42 42 u32 sid; /* current SID */ 43 43 u32 exec_sid; /* exec SID */ 44 44 u32 create_sid; /* fscreate SID */ 45 45 u32 keycreate_sid; /* keycreate SID */ 46 46 u32 sockcreate_sid; /* fscreate SID */ 47 + } __randomize_layout; 48 + 49 + struct task_security_struct { 47 50 #define TSEC_AVDC_DIR_SIZE (1 << 2) 48 51 struct { 49 52 u32 sid; /* current SID for cached entries */ ··· 57 54 } avdcache; 58 55 } __randomize_layout; 59 56 60 - static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec) 57 + static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec, 58 + u32 sid) 61 59 { 62 60 return (tsec->avdcache.permissive_neveraudit && 63 - tsec->sid == tsec->avdcache.sid && 61 + sid == tsec->avdcache.sid && 64 62 tsec->avdcache.seqno == avc_policy_seqno()); 65 63 } 66 64 ··· 176 172 }; 177 173 178 174 extern struct lsm_blob_sizes selinux_blob_sizes; 179 - static inline struct task_security_struct *selinux_cred(const struct cred *cred) 175 + static inline struct cred_security_struct *selinux_cred(const struct cred *cred) 180 176 { 181 177 return cred->security + selinux_blob_sizes.lbs_cred; 178 + } 179 + 180 + static inline struct task_security_struct * 181 + selinux_task(const struct task_struct *task) 182 + { 183 + return task->security + selinux_blob_sizes.lbs_task; 182 184 } 183 185 184 186 static inline struct file_security_struct *selinux_file(const struct file *file) ··· 217 207 */ 218 208 static inline u32 current_sid(void) 219 209 { 220 - const struct task_security_struct *tsec = selinux_cred(current_cred()); 210 + const struct cred_security_struct *crsec = selinux_cred(current_cred()); 221 211 222 - return tsec->sid; 212 + return crsec->sid; 223 213 } 224 214 225 215 static inline struct superblock_security_struct *