[ Upstream commit 464c258aa45b09f16aa0f05847ed8895873262d9 ] When sid == 0 (we are resetting keycreate_sid to the default value), we should skip the KEY__CREATE check.
Before this patch, doing a zero-sized write to /proc/self/keycreate would check if the current task can create unlabeled keys (which would usually fail with -EACCESS and generate an AVC). Now it skips the check and correctly sets the task's keycreate_sid to 0. Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1719067 Tested using the reproducer from the report above. Fixes: 4eb582cf1fbd ("[PATCH] keys: add a way to store the appropriate context for newly-created keys") Reported-by: Kir Kolyshkin <k...@sacred.ru> Signed-off-by: Ondrej Mosnacek <omosn...@redhat.com> Signed-off-by: Paul Moore <p...@paul-moore.com> Signed-off-by: Sasha Levin <sas...@kernel.org> --- security/selinux/hooks.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 614bc753822c..bf37bdce9918 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6269,11 +6269,12 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) } else if (!strcmp(name, "fscreate")) { tsec->create_sid = sid; } else if (!strcmp(name, "keycreate")) { - error = avc_has_perm(&selinux_state, - mysid, sid, SECCLASS_KEY, KEY__CREATE, - NULL); - if (error) - goto abort_change; + if (sid) { + error = avc_has_perm(&selinux_state, mysid, sid, + SECCLASS_KEY, KEY__CREATE, NULL); + if (error) + goto abort_change; + } tsec->keycreate_sid = sid; } else if (!strcmp(name, "sockcreate")) { tsec->sockcreate_sid = sid; -- 2.20.1
