kernel/security/selinux/include/avc.h, branch linux-rolling-stable

selinux: introduce neveraudit types

2025-06-19T21:23:04Z

Introduce neveraudit types i.e. types that should never trigger audit messages. This allows the AVC to skip all audit-related processing for such types. Note that neveraudit differs from dontaudit not only wrt being applied for all checks with a given source type but also in that it disables all auditing, not just permission denials. When a type is both a permissive type and a neveraudit type, the security server can short-circuit the security_compute_av() logic, allowing all permissions and not auditing any permissions. This change just introduces the basic support but does not yet further optimize the AVC or hook function logic when a type is both a permissive type and a dontaudit type. Suggested-by: Paul Moore Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore

selinux: match extended permissions to their base permissions

2025-01-05T01:58:46Z

In commit d1d991efaf34 ("selinux: Add netlink xperm support") a new extended permission was added ("nlmsg"). This was the second extended permission implemented in selinux ("ioctl" being the first one). Extended permissions are associated with a base permission. It was found that, in the access vector cache (avc), the extended permission did not keep track of its base permission. This is an issue for a domain that is using both extended permissions (i.e., a domain calling ioctl() on a netlink socket). In this case, the extended permissions were overlapping. Keep track of the base permission in the cache. A new field "base_perm" is added to struct extended_perms_decision to make sure that the extended permission refers to the correct policy permission. A new field "base_perms" is added to struct extended_perms to quickly decide if extended permissions apply. While it is in theory possible to retrieve the base permission from the access vector, the same base permission may not be mapped to the same bit for each class (e.g., "nlmsg" is mapped to a different bit for "netlink_route_socket" and "netlink_audit_socket"). Instead, use a constant (AVC_EXT_IOCTL or AVC_EXT_NLMSG) provided by the caller. Fixes: d1d991efaf34 ("selinux: Add netlink xperm support") Signed-off-by: Thiébaud Weksteen Signed-off-by: Paul Moore

selinux: align avc_has_perm_noaudit() prototype with definition

2023-12-22T23:09:26Z

A trivial correction to convert an 'unsigned' parameter into an 'unsigned int' parameter so the prototype matches the function definition. I really thought that someone submitted a patch for this a few years ago but sadly I can't find it now. Signed-off-by: Paul Moore

selinux: fix style issues in security/selinux/include/avc.h

2023-12-22T23:09:26Z

As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore

selinux: update my email address

2023-07-19T15:27:02Z

Update my email address; MAINTAINERS was updated some time ago. Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore

selinux: avc: drop unused function avc_disable()

2023-05-08T20:45:36Z

Since commit f22f9aaf6c3d ("selinux: remove the runtime disable functionality") the function avc_disable() is no longer used. Signed-off-by: Christian Göttsche Signed-off-by: Paul Moore

selinux: stop passing selinux_state pointers and their offspring

2023-03-14T19:22:45Z

Linus observed that the pervasive passing of selinux_state pointers introduced by me in commit aa8e712cee93 ("selinux: wrap global selinux state") adds overhead and complexity without providing any benefit. The original idea was to pave the way for SELinux namespaces but those have not yet been implemented and there isn't currently a concrete plan to do so. Remove the passing of the selinux_state pointers, reverting to direct use of the single global selinux_state, and likewise remove passing of child pointers like the selinux_avc. The selinux_policy pointer remains as it is needed for atomic switching of policies. Suggested-by: Linus Torvalds Reported-by: kernel test robot Link: https://lore.kernel.org/oe-kbuild-all/202303101057.mZ3Gv5fK-lkp@intel.com/ Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore

selinux: add __randomize_layout to selinux_audit_data

2022-06-07T20:03:21Z

Randomize the layout of struct selinux_audit_data as suggested in [1], since it contains a pointer to struct selinux_state, an already randomized strucure. [1]: https://github.com/KSPP/linux/issues/188 Signed-off-by: GONG, Ruiqi Signed-off-by: Paul Moore

selinux: update parameter documentation

2022-05-03T18:03:57Z

security/selinux/include/audit.h:54: warning: Function parameter or member 'krule' not described in 'selinux_audit_rule_known' security/selinux/include/audit.h:54: warning: Excess function parameter 'rule' description in 'selinux_audit_rule_known' security/selinux/include/avc.h:130: warning: Function parameter or member 'state' not described in 'avc_audit' This also bring the parameter name of selinux_audit_rule_known() in sync between declaration and definition. Signed-off-by: Christian Göttsche Signed-off-by: Paul Moore

selinux: kill 'flags' argument in avc_has_perm_flags() and avc_audit()

2021-06-11T17:11:45Z

... along with avc_has_perm_flags() itself, since now it's identical to avc_has_perm() (as pointed out by Paul Moore) Signed-off-by: Al Viro [PM: add "selinux:" prefix to subj and tweak for length] Signed-off-by: Paul Moore