From: Greg Kroah-Hartman Date: Fri, 3 Jan 2025 14:47:37 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.4.289~72 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2ca286797e0f3ff072ddce1d85da12f7bc8d02d8;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: selinux-ignore-unknown-extended-permissions.patch --- diff --git a/queue-5.10/selinux-ignore-unknown-extended-permissions.patch b/queue-5.10/selinux-ignore-unknown-extended-permissions.patch new file mode 100644 index 00000000000..34afd487200 --- /dev/null +++ b/queue-5.10/selinux-ignore-unknown-extended-permissions.patch @@ -0,0 +1,50 @@ +From 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= +Date: Thu, 5 Dec 2024 12:09:19 +1100 +Subject: selinux: ignore unknown extended permissions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thiébaud Weksteen + +commit 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 upstream. + +When evaluating extended permissions, ignore unknown permissions instead +of calling BUG(). This commit ensures that future permissions can be +added without interfering with older kernels. + +Cc: stable@vger.kernel.org +Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") +Signed-off-by: Thiébaud Weksteen +Signed-off-by: Paul Moore +Acked-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/ss/services.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -970,7 +970,10 @@ void services_compute_xperms_decision(st + xpermd->driver)) + return; + } else { +- BUG(); ++ pr_warn_once( ++ "SELinux: unknown extended permission (%u) will be ignored\n", ++ node->datum.u.xperms->specified); ++ return; + } + + if (node->key.specified == AVTAB_XPERMS_ALLOWED) { +@@ -1007,7 +1010,8 @@ void services_compute_xperms_decision(st + node->datum.u.xperms->perms.p[i]; + } + } else { +- BUG(); ++ pr_warn_once("SELinux: unknown specified key (%u)\n", ++ node->key.specified); + } + } + diff --git a/queue-5.10/series b/queue-5.10/series index df9a9845f49..ebe22736006 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -82,3 +82,4 @@ nfsd-cancel-nfsd_shrinker_work-using-sync-mode-in-nfs4_state_shutdown_net.patch skb_expand_head-adjust-skb-truesize-incorrectly.patch ipv6-prevent-possible-uaf-in-ip6_xmit.patch x86-hyperv-fix-hv-tsc-page-based-sched_clock-for-hibernation.patch +selinux-ignore-unknown-extended-permissions.patch