selinux: ignore unknown extended permissions

When evaluating extended permissions, ignore unknown permissions instead
of calling BUG(). This commit ensures that future permissions can be
added without interfering with older kernels.

Cc: stable@vger.kernel.org
Fixes: fa1aa143ac ("selinux: extended permissions for ioctls")
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Thiébaud Weksteen 2024-12-05 12:09:19 +11:00 committed by Paul Moore
parent 40384c840e
commit 900f83cf37

View File

@ -979,7 +979,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
return;
break;
default:
BUG();
pr_warn_once(
"SELinux: unknown extended permission (%u) will be ignored\n",
node->datum.u.xperms->specified);
return;
}
if (node->key.specified == AVTAB_XPERMS_ALLOWED) {
@ -998,7 +1001,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
&node->datum.u.xperms->perms,
xpermd->dontaudit);
} else {
BUG();
pr_warn_once("SELinux: unknown specified key (%u)\n",
node->key.specified);
}
}