selinux: ignore unknown extended permissions

Message ID	20241203222741.1739916-1-tweek@google.com (mailing list archive)
State	New
Headers	show Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B8C191F76AB for <selinux@vger.kernel.org>; Tue, 3 Dec 2024 22:27:48 +0000 (UTC) Date: Wed, 4 Dec 2024 09:27:41 +1100 Precedence: bulk Mime-Version: 1.0 Message-ID: <20241203222741.1739916-1-tweek@google.com> Subject: [PATCH] selinux: ignore unknown extended permissions From: " =?utf-8?q?Thi=C3=A9baud_Weksteen?= " <tweek@google.com> To: Paul Moore <paul@paul-moore.com> Cc: " =?utf-8?q?Christian_G=C3=B6ttsche?= " <cgzones@googlemail.com>, Stephen Smalley <stephen.smalley.work@gmail.com>, " =?utf-8?q?Bram_Bonn?= =?utf-8?q?=C3=A9?= " <brambonne@google.com>, Jeffrey Vander Stoep <jeffv@google.com>, selinux@vger.kernel.org, " =?utf-8?q?Thi=C3=A9baud_Weksteen?= " <tweek@google.com>, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Series	selinux: ignore unknown extended permissions \| expand selinux: ignore unknown extended permissions

Message ID

20241203222741.1739916-1-tweek@google.com (mailing list archive)

State

New

Headers

Date: Wed,  4 Dec 2024 09:27:41 +1100
Precedence: bulk
Mime-Version: 1.0
Message-ID: <20241203222741.1739916-1-tweek@google.com>
Subject: [PATCH] selinux: ignore unknown extended permissions
From: " =?utf-8?q?Thi=C3=A9baud_Weksteen?= " <tweek@google.com>
To: Paul Moore <paul@paul-moore.com>
Cc: " =?utf-8?q?Christian_G=C3=B6ttsche?= " <cgzones@googlemail.com>,
  Stephen Smalley <stephen.smalley.work@gmail.com>,  " =?utf-8?q?Bram_Bonn?=
	=?utf-8?q?=C3=A9?= " <brambonne@google.com>,
 Jeffrey Vander Stoep <jeffv@google.com>, selinux@vger.kernel.org,  "
	=?utf-8?q?Thi=C3=A9baud_Weksteen?= " <tweek@google.com>,
 stable@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Series

selinux: ignore unknown extended permissions | expand

Commit Message

Thiébaud Weksteen Dec. 3, 2024, 10:27 p.m. UTC

When evaluating extended permissions, ignore unknown permissions instead
of calling BUG(). This commit ensures that future permissions can be
added without interfering with older kernels.

Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls")
Cc: stable@vger.kernel.org
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
---
 security/selinux/ss/services.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 971c45d576ba..2fa8aebcb2e5 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -979,7 +979,8 @@  void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
 			return;
 		break;
 	default:
-		BUG();
+		// An unknown extended permission has been found. Ignore it.
+		return;
 	}
 
 	if (node->key.specified == AVTAB_XPERMS_ALLOWED) {

selinux: ignore unknown extended permissions

Commit Message

Patch