UPSTREAM: selinux: ignore unknown extended permissions
commit 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 upstream.
When evaluating extended permissions, ignore unknown permissions instead
of calling BUG(). This commit ensures that future permissions can be
added without interfering with older kernels.
Cc: [email protected]
Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls")
Signed-off-by: Thiébaud Weksteen <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
Acked-by: Paul Moore <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Thiébaud Weksteen <[email protected]>
Change-Id: I1689d8c5084a24c1a34ef3d15d71f8cfa4122447
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 4ec3a78..5e7bd32d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -971,7 +971,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
xpermd->driver))
return;
} else {
- BUG();
+ pr_warn_once(
+ "SELinux: unknown extended permission (%u) will be ignored\n",
+ node->datum.u.xperms->specified);
+ return;
}
if (node->key.specified == AVTAB_XPERMS_ALLOWED) {
@@ -1008,7 +1011,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
node->datum.u.xperms->perms.p[i];
}
} else {
- BUG();
+ pr_warn_once("SELinux: unknown specified key (%u)\n",
+ node->key.specified);
}
}
