From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 3 Jan 2025 14:47:26 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v5.4.289~73
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0321bf0bd1d94ab65b7380613d81fdfa36619114;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	selinux-ignore-unknown-extended-permissions.patch
---

diff --git a/queue-5.4/selinux-ignore-unknown-extended-permissions.patch b/queue-5.4/selinux-ignore-unknown-extended-permissions.patch
new file mode 100644
index 00000000000..629fcd69c12
--- /dev/null
+++ b/queue-5.4/selinux-ignore-unknown-extended-permissions.patch
@@ -0,0 +1,50 @@
+From 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek@google.com>
+Date: Thu, 5 Dec 2024 12:09:19 +1100
+Subject: selinux: ignore unknown extended permissions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thiébaud Weksteen <tweek@google.com>
+
+commit 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 upstream.
+
+When evaluating extended permissions, ignore unknown permissions instead
+of calling BUG(). This commit ensures that future permissions can be
+added without interfering with older kernels.
+
+Cc: stable@vger.kernel.org
+Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls")
+Signed-off-by: Thiébaud Weksteen <tweek@google.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/ss/services.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -954,7 +954,10 @@ void services_compute_xperms_decision(st
+ 					xpermd->driver))
+ 			return;
+ 	} else {
+-		BUG();
++		pr_warn_once(
++			"SELinux: unknown extended permission (%u) will be ignored\n",
++			node->datum.u.xperms->specified);
++		return;
+ 	}
+ 
+ 	if (node->key.specified == AVTAB_XPERMS_ALLOWED) {
+@@ -991,7 +994,8 @@ void services_compute_xperms_decision(st
+ 					node->datum.u.xperms->perms.p[i];
+ 		}
+ 	} else {
+-		BUG();
++		pr_warn_once("SELinux: unknown specified key (%u)\n",
++			     node->key.specified);
+ 	}
+ }
+ 
diff --git a/queue-5.4/series b/queue-5.4/series
index 9947a8e7431..9e5b8dfe5bc 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -59,3 +59,4 @@ tracing-constify-string-literal-data-member-in-struct-trace_event_call.patch
 btrfs-avoid-monopolizing-a-core-when-activating-a-swap-file.patch
 skb_expand_head-adjust-skb-truesize-incorrectly.patch
 ipv6-prevent-possible-uaf-in-ip6_xmit.patch
+selinux-ignore-unknown-extended-permissions.patch