To prevent modifying the enforcing status or resetting the AVC in the userspace policy enforcers, do not deliver SELinux netlink notifications to the init network namespace unless they were generated by the init SELinux namespace. If you want to receive SELinux netlink notifications in a non-init SELinux namespace, then unshare your network namespace too. Otherwise, just map the SELinux status page (/sys/fs/selinux/status) to check the enforcing status and to detect policy reloads which is now the default behavior in libselinux on any kernels that support it. Signed-off-by: Stephen Smalley --- security/selinux/hooks.c | 2 +- security/selinux/include/security.h | 1 + security/selinux/netlink.c | 11 +++++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7c405f3289db..0d9ec74b6144 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -107,7 +107,7 @@ #define SELINUX_INODE_INIT_XATTRS 1 -static struct selinux_state *init_selinux_state; +struct selinux_state *init_selinux_state; struct selinux_state *current_selinux_state; /* SECMARK reference count */ diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index d733d2dabb9f..950601a28cd5 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -134,6 +134,7 @@ get_selinux_state(struct selinux_state *state) return state; } +extern struct selinux_state *init_selinux_state; extern struct selinux_state *current_selinux_state; static inline bool selinux_initialized(const struct selinux_state *state) diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c index 03678a76f4bb..fb55d3ba25f5 100644 --- a/security/selinux/netlink.c +++ b/security/selinux/netlink.c @@ -70,6 +70,17 @@ static void selnl_notify(int msgtype, void *data) struct sk_buff *skb; struct nlmsghdr *nlh; + /* + * Do not deliver SELinux netlink notifications to the + * init network namespace if they were not generated + * by the init selinux namespace. Unshare network + * namespace if you want to receive them; otherwise, + * just get updates via the SELinux status page. + */ + if (current_selinux_state != init_selinux_state && + net_eq(current->nsproxy->net_ns, &init_net)) + return; + len = selnl_msglen(msgtype); skb = nlmsg_new(len, GFP_USER); -- 2.50.1