From dde3a5d0f4dce1d1a6095e6b8eeb59b75d28fb3b Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Thu, 13 Nov 2025 15:23:14 -0500 Subject: selinux: move avdcache to per-task security struct The avdcache is meant to be per-task; move it to a new task_security_struct that is duplicated per-task. Cc: stable@vger.kernel.org Fixes: 5d7ddc59b3d89b724a5aa8f30d0db94ff8d2d93f ("selinux: reduce path walk overhead") Signed-off-by: Stephen Smalley [PM: line length fixes] Signed-off-by: Paul Moore --- security/selinux/include/objsec.h | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'security/selinux/include/objsec.h') diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index e71ce352bc97..00804562c2c3 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -44,6 +44,9 @@ struct cred_security_struct { u32 create_sid; /* fscreate SID */ u32 keycreate_sid; /* keycreate SID */ u32 sockcreate_sid; /* fscreate SID */ +} __randomize_layout; + +struct task_security_struct { #define TSEC_AVDC_DIR_SIZE (1 << 2) struct { u32 sid; /* current SID for cached entries */ @@ -54,10 +57,11 @@ struct cred_security_struct { } avdcache; } __randomize_layout; -static inline bool task_avdcache_permnoaudit(struct cred_security_struct *tsec) +static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec, + u32 sid) { return (tsec->avdcache.permissive_neveraudit && - tsec->sid == tsec->avdcache.sid && + sid == tsec->avdcache.sid && tsec->avdcache.seqno == avc_policy_seqno()); } @@ -177,6 +181,12 @@ static inline struct cred_security_struct *selinux_cred(const struct cred *cred) return cred->security + selinux_blob_sizes.lbs_cred; } +static inline struct task_security_struct * +selinux_task(const struct task_struct *task) +{ + return task->security + selinux_blob_sizes.lbs_task; +} + static inline struct file_security_struct *selinux_file(const struct file *file) { return file->f_security + selinux_blob_sizes.lbs_file; -- cgit v1.2.3