| From e4c82eafb609c2badc56f4e11bc50fcf44b8e9eb Mon Sep 17 00:00:00 2001 |
| From: Paul Moore <paul@paul-moore.com> |
| Date: Wed, 21 Apr 2021 21:15:36 -0400 |
| Subject: selinux: add proper NULL termination to the secclass_map permissions |
| |
| From: Paul Moore <paul@paul-moore.com> |
| |
| commit e4c82eafb609c2badc56f4e11bc50fcf44b8e9eb upstream. |
| |
| This patch adds the missing NULL termination to the "bpf" and |
| "perf_event" object class permission lists. |
| |
| This missing NULL termination should really only affect the tools |
| under scripts/selinux, with the most important being genheaders.c, |
| although in practice this has not been an issue on any of my dev/test |
| systems. If the problem were to manifest itself it would likely |
| result in bogus permissions added to the end of the object class; |
| thankfully with no access control checks using these bogus |
| permissions and no policies defining these permissions the impact |
| would likely be limited to some noise about undefined permissions |
| during policy load. |
| |
| Cc: stable@vger.kernel.org |
| Fixes: ec27c3568a34 ("selinux: bpf: Add selinux check for eBPF syscall operations") |
| Fixes: da97e18458fb ("perf_event: Add support for LSM and SELinux checks") |
| Signed-off-by: Paul Moore <paul@paul-moore.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| security/selinux/include/classmap.h | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| --- a/security/selinux/include/classmap.h |
| +++ b/security/selinux/include/classmap.h |
| @@ -242,11 +242,12 @@ struct security_class_mapping secclass_m |
| { "infiniband_endport", |
| { "manage_subnet", NULL } }, |
| { "bpf", |
| - {"map_create", "map_read", "map_write", "prog_load", "prog_run"} }, |
| + { "map_create", "map_read", "map_write", "prog_load", "prog_run", |
| + NULL } }, |
| { "xdp_socket", |
| { COMMON_SOCK_PERMS, NULL } }, |
| { "perf_event", |
| - {"open", "cpu", "kernel", "tracepoint", "read", "write"} }, |
| + { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } }, |
| { "lockdown", |
| { "integrity", "confidentiality", NULL } }, |
| { NULL } |