Re: [PATCH] selinux: use sk blob accessor in socket permission helpers

[Paul Moore]

On Apr 24, 2026 ZongYao.Chen@xxxxxxxxxxxxxxxxx wrote:
> 
> SELinux socket state lives in the composite LSM socket blob.
> 
> sock_has_perm() and nlmsg_sock_has_extended_perms() currently
> dereference sk->sk_security directly, which assumes the SELinux socket
> blob is at offset zero.
> 
> In stacked configurations that assumption does not hold. If another LSM
> allocates socket blob storage before SELinux, these helpers may read the
> wrong blob and feed invalid SID and class values into AVC checks.
> 
> Use selinux_sock() instead of accessing sk->sk_security directly.
> 
> Fixes: d1d991efaf34 ("selinux: Add netlink xperm support")
> Cc: stable@xxxxxxxxxxxxxxx # v6.13+
> Signed-off-by: Zongyao Chen <ZongYao.Chen@xxxxxxxxxxxxxxxxx>
> ---
>  security/selinux/hooks.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Nice catch, thanks.  Merged into selinux/stable-7.1 and I'll send it up
to Linus later this week.

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 97801966bf32..49c482e3fa3f 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4920,7 +4920,7 @@ static bool sock_skip_has_perm(u32 sid)
>  
>  static int sock_has_perm(struct sock *sk, u32 perms)
>  {
> -	struct sk_security_struct *sksec = sk->sk_security;
> +	struct sk_security_struct *sksec = selinux_sock(sk);
>  	struct common_audit_data ad;
>  	struct lsm_network_audit net;
>  
> @@ -6227,7 +6227,7 @@ static unsigned int selinux_ip_postroute(void *priv,
>  
>  static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type)
>  {
> -	struct sk_security_struct *sksec = sk->sk_security;
> +	struct sk_security_struct *sksec = selinux_sock(sk);
>  	struct common_audit_data ad;
>  	u8 driver;
>  	u8 xperm;
> 
> base-commit: dd6c438c3e64a5ff0b5d7e78f7f9be547803ef1b
> -- 
> 2.47.3

--
paul-moore.com