Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4644014pxj; Wed, 12 May 2021 09:56:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzlskXvtFJNOWAkf2Z8QR++p/ZdOSom9jN+IKoEke/eJaLx+TuUixo8c6QExNeADphRc41N X-Received: by 2002:a9d:1d45:: with SMTP id m63mr10560290otm.302.1620838581666; Wed, 12 May 2021 09:56:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620838581; cv=none; d=google.com; s=arc-20160816; b=fX0EujF4dyKUmXIpoqw1Ci1A6KBKpAgBDprwcg8AL46hl8lr7UZOZEI8ifqYchz+89 Zy2iXByfVk02v2qp+nI3zPIZDDdiMS+Mx4w5Lp9+sc49MvsX0ioX2ru3+WYf5QkM/OYf x5fKhjl3q3/EYY28CcGtvqZY1y2e6taIb8Ldo0M8XULiKom5op1DdRu5WPcgtxvh07wh 0LodRsazrCKtEWXs4tzQen4Wi6EHUtpMA5/SEFoVffx4soeW9X4XGKqk6jCWWBkqndni eikY42QZI2WLS6fy8LPyN26aKG0xTm63YynYm/A3ppemWGHppDSXocSrIKlVZkCyJc2I ESSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VGpwp6fcDihTVjwANoEAV9VdM774fSFnPpoZRiTYiGI=; b=QS0xl8SoTp2iEYJ/ygFLWbq9X5NnK+k4XtrmGPuziq0ZzN1yG55RHSVBNzpvmCGPRg rmRJj/4+fjej3ZC5dGdVR6uJk2nr20jwavPHdtVw/UIS6w57ONkufL9whi9IXK08OMK1 oP9xOEXTiGrrt1WKZx2Ut06kyGZqYB544PqxoejQe020k6ajFgL7DpWUzdFZPkHhcrKz MbhAb/emlELFsyNsfh6ryoAoBMNXn+rgUYczJAu/f6CWRi+SfZKCBz3sOqnR/57WBhOO BamDkQP4h+3bba9aKWooNDnCAUcnqFv8RhEvmbOYBeZdLbovVmMuYiSK+OmvVXiqsbb5 4q7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="AO2cb/m4"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x22si314196otk.246.2021.05.12.09.56.07; Wed, 12 May 2021 09:56:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="AO2cb/m4"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245102AbhELQwD (ORCPT + 99 others); Wed, 12 May 2021 12:52:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:50348 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237495AbhELPup (ORCPT ); Wed, 12 May 2021 11:50:45 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 915BA619CE; Wed, 12 May 2021 15:26:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620833167; bh=r8a5BTMH7qyxIO+sw71RGuGghx4ZvLBEPOCJwjwPRZw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AO2cb/m4xEmFxmEAx4A57rkB5nVKbKd545qR3+wqOJe8dev548YJLQb95t562Vi06 4TlR5b1JY5l2iRdRWAeecTfp1lzt/oDYngz550SBl24dJbd59ij5hN9ZG7DxQusPRu XuJvzjmqWz8IvWCAMzHXNTl9LDbCxOx9ZeA/pJYc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paul Moore Subject: [PATCH 5.11 045/601] selinux: add proper NULL termination to the secclass_map permissions Date: Wed, 12 May 2021 16:42:02 +0200 Message-Id: <20210512144829.309712352@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210512144827.811958675@linuxfoundation.org> References: <20210512144827.811958675@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paul Moore commit e4c82eafb609c2badc56f4e11bc50fcf44b8e9eb upstream. This patch adds the missing NULL termination to the "bpf" and "perf_event" object class permission lists. This missing NULL termination should really only affect the tools under scripts/selinux, with the most important being genheaders.c, although in practice this has not been an issue on any of my dev/test systems. If the problem were to manifest itself it would likely result in bogus permissions added to the end of the object class; thankfully with no access control checks using these bogus permissions and no policies defining these permissions the impact would likely be limited to some noise about undefined permissions during policy load. Cc: stable@vger.kernel.org Fixes: ec27c3568a34 ("selinux: bpf: Add selinux check for eBPF syscall operations") Fixes: da97e18458fb ("perf_event: Add support for LSM and SELinux checks") Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman --- security/selinux/include/classmap.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -242,11 +242,12 @@ struct security_class_mapping secclass_m { "infiniband_endport", { "manage_subnet", NULL } }, { "bpf", - {"map_create", "map_read", "map_write", "prog_load", "prog_run"} }, + { "map_create", "map_read", "map_write", "prog_load", "prog_run", + NULL } }, { "xdp_socket", { COMMON_SOCK_PERMS, NULL } }, { "perf_event", - {"open", "cpu", "kernel", "tracepoint", "read", "write"} }, + { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } }, { "lockdown", { "integrity", "confidentiality", NULL } }, { NULL }