[PATCH v7 41/42] selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware

[PATCH v7 00/42] SELinux namespace support · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 01/42] selinux: restore passing of selinux_state · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
Re: [PATCH v7 01/42] selinux: restore passing of selinux_state · Maxwell Bland <hidden> · 2025-09-10
Re: [PATCH v7 01/42] selinux: restore passing of selinux_state · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-09-11
[PATCH v7 03/42] selinux: support multiple selinuxfs instances · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 02/42] selinux: introduce current_selinux_state · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 04/42] selinux: dynamically allocate selinux namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 05/42] netstate,selinux: create the selinux netlink socket per network namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 06/42] selinux: limit selinux netlink notifications to init namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 07/42] selinux: support per-task/cred selinux namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 08/42] selinux: introduce cred_selinux_state() and use it · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 09/42] selinux: init inode from nearest initialized namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 10/42] selinux: add a selinuxfs interface to unshare selinux namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 11/42] selinux: add limits for SELinux namespaces · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 12/42] selinux: exempt creation of init SELinux namespace from limits · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 13/42] selinux: refactor selinux_state_create() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 14/42] selinux: allow userspace to detect non-init SELinux namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 15/42] selinuxfs: restrict write operations to the same selinux namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 16/42] selinux: introduce a global SID table · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 18/42] selinux: introduce a Kconfig option for SELinux namespaces · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 17/42] selinux: wrap security server interfaces to use the global SID table · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 19/42] selinux: eliminate global SID table if !CONFIG_SECURITY_SELINUX_NS · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 20/42] selinux: maintain a small cache in the global SID table · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 21/42] selinux: update hook functions to use correct selinux namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 22/42] selinux: introduce cred_task_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 23/42] selinux: introduce cred_has_extended_perms() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 24/42] selinux: introduce cred_self_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 25/42] selinux: introduce cred_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 26/42] selinux: introduce cred_ssid_has_perm() and cred_other_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 27/42] selinux: introduce task_obj_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 28/42] selinux: update bprm hooks for selinux namespaces · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 29/42] selinux: add kerneldoc to new permission checking functions · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 30/42] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 31/42] selinux: rename cred_has_perm*() to cred_tsid_has_perm*() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 32/42] selinux: update cred_tsid_has_perm_noaudit() to return the combined avd · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 33/42] selinux: convert additional checks to cred_ssid_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 34/42] selinux: introduce selinux_state_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 35/42] selinux: annotate selinuxfs permission checks · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 36/42] selinux: annotate process transition permission checks · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 37/42] selinux: convert xfrm and netlabel permission checks · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 38/42] selinux: switch selinux_lsm_setattr() checks to current namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 40/42] selinux: split cred_ssid_has_perm() into two cases · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 41/42] selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 39/42] selinux: make open_perms namespace-aware · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14
[PATCH v7 42/42] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-08-14

STALE276d

Revisions (7)

2025-01-02 rfc [diff vs current]
2025-05-15 v2 [diff vs current]
2025-05-20 v3 [diff vs current]
2025-06-10 v4 [diff vs current]
2025-06-17 v5 [diff vs current]
2025-06-20 v6 [diff vs current]
2025-08-14 v7 current

From: Stephen Smalley <stephen.smalley.work@gmail.com>
Date: 2025-08-14 13:27:43
Also in: selinux
Subsystem: selinux security module, the rest · Maintainers: Paul Moore, Stephen Smalley, Linus Torvalds

Convert nlmsg_sock_has_extended_perms() to use the
cred_has_extended_perms() helper for namespace-aware checking.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 security/selinux/hooks.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b22dbb4a1a05..369e375bd9c6 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

@@ -6297,9 +6297,9 @@ static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_t
 	driver = nlmsg_type >> 8;
 	xperm = nlmsg_type & 0xff;
 
-	return avc_has_extended_perms(current_selinux_state, current_sid(),
-				      sksec->sid, sksec->sclass, perms,
-				      driver, AVC_EXT_NLMSG, xperm, &ad);
+	return cred_has_extended_perms(current_cred(), sksec->sid,
+				       sksec->sclass, perms, driver,
+				       AVC_EXT_NLMSG, xperm, &ad);
 }
 
 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)

-- 
2.50.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help