diff --git a/container_escape_detection/core/ced_detection.c b/container_escape_detection/core/ced_detection.c index 3f0ff8c6d20d42299720bedc7df80204cbdc49c1..b8f291715ca41979e2459e5e65760144ac2a8b62 100644 --- a/container_escape_detection/core/ced_detection.c +++ b/container_escape_detection/core/ced_detection.c @@ -9,6 +9,7 @@ #include "objsec.h" #include "ced_detection.h" #include "ced_detection_points.h" +#include enum ced_event_type { EVENT_OK, @@ -40,13 +41,21 @@ static int ced_avc_has_perm(u16 tclass, u32 requested) struct av_decision avd; int rc; +#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)) if (!selinux_initialized(&selinux_state)) return 1; - +#else + if (!selinux_initialized()) + return 1; +#endif u32 sid = current_sid(); +#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)) rc = avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested, AVC_STRICT, &avd); - +#else + rc = avc_has_perm_noaudit(sid, sid, tclass, requested, + AVC_STRICT, &avd); +#endif return rc; } diff --git a/container_escape_detection/include/ced_detection_points.h b/container_escape_detection/include/ced_detection_points.h index 45eb2babca36f19bb75c7d1c26ec652528e9314d..cf62cb285b8296df7dab88c3866c9ce7ef8f137d 100644 --- a/container_escape_detection/include/ced_detection_points.h +++ b/container_escape_detection/include/ced_detection_points.h @@ -29,7 +29,7 @@ static inline void cred_info_record(struct cred_info *info, const struct cred *c info->egid = cred->egid.val; info->fsuid = cred->fsuid.val; - memcpy(&info->cap_effective.cap[0], &cred->cap_effective.cap[0], sizeof(info->cap_effective.cap)); + memcpy(&info->cap_effective, &cred->cap_effective, sizeof(kernel_cap_t)); } struct ns_info { diff --git a/memory_security/src/hideaddr.c b/memory_security/src/hideaddr.c index c34bbcd38f4632eeb78c6db0e6a5373f7a948128..5d77c4e9e40a11f5454b22b0f0e984425d1fb215 100644 --- a/memory_security/src/hideaddr.c +++ b/memory_security/src/hideaddr.c @@ -17,6 +17,7 @@ #include "avc.h" #include "objsec.h" #include "hideaddr.h" +#include static bool is_anon_exec(struct vm_area_struct *vma) { @@ -44,8 +45,13 @@ static int hideaddr_avc_has_perm(u16 tclass, u32 requested, struct seq_file *m) u32 secid; security_cred_getsecid(task->cred, &secid); +#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)) return avc_has_perm_noaudit(&selinux_state, secid, secid, tclass, requested, AVC_STRICT, &avd); +#else + return avc_has_perm_noaudit(secid, secid, tclass, requested, + AVC_STRICT, &avd); +#endif } static void hideaddr_header_prefix(unsigned long *start, unsigned long *end, diff --git a/memory_security/src/jit_memory.c b/memory_security/src/jit_memory.c index 0fc0bee268878a5715dfadaf1db3af6386f595a8..e34b6ab0cbe380bf5841bdb76be3d6e1d3339a84 100644 --- a/memory_security/src/jit_memory.c +++ b/memory_security/src/jit_memory.c @@ -11,6 +11,7 @@ #include "jit_space_list.h" #include "avc.h" #include "objsec.h" +#include DEFINE_SPINLOCK(list_lock); @@ -25,8 +26,13 @@ static bool jit_avc_has_perm(u16 tclass, u32 requested, struct task_struct *task u32 secid; security_cred_getsecid(task->cred, &secid); +#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)) return (avc_has_perm_noaudit(&selinux_state, secid, secid, tclass, requested, AVC_STRICT, &avd) == 0); +#else + return (avc_has_perm_noaudit(secid, secid, tclass, requested, + AVC_STRICT, &avd) == 0); +#endif } void find_jit_memory(struct task_struct *task, unsigned long start, unsigned long size, int *err)