From 36a41c6a71712ae7709de71d6cd6e7c408c5c0f7 Mon Sep 17 00:00:00 2001 From: cbl Date: Thu, 29 Aug 2024 17:03:20 +0800 Subject: [PATCH] =?UTF-8?q?=E5=AE=89=E5=85=A8=E7=89=B9=E6=80=A7=E9=80=82?= =?UTF-8?q?=E9=85=8Dlinux=E5=86=85=E6=A0=B86.6=20Signed-off-by:=20cbl=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- container_escape_detection/core/ced_detection.c | 13 +++++++++++-- .../include/ced_detection_points.h | 2 +- memory_security/src/hideaddr.c | 6 ++++++ memory_security/src/jit_memory.c | 6 ++++++ 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/container_escape_detection/core/ced_detection.c b/container_escape_detection/core/ced_detection.c index 3f0ff8c..b8f2917 100644 --- a/container_escape_detection/core/ced_detection.c +++ b/container_escape_detection/core/ced_detection.c @@ -9,6 +9,7 @@ #include "objsec.h" #include "ced_detection.h" #include "ced_detection_points.h" +#include enum ced_event_type { EVENT_OK, @@ -40,13 +41,21 @@ static int ced_avc_has_perm(u16 tclass, u32 requested) struct av_decision avd; int rc; +#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)) if (!selinux_initialized(&selinux_state)) return 1; - +#else + if (!selinux_initialized()) + return 1; +#endif u32 sid = current_sid(); +#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)) rc = avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested, AVC_STRICT, &avd); - +#else + rc = avc_has_perm_noaudit(sid, sid, tclass, requested, + AVC_STRICT, &avd); +#endif return rc; } diff --git a/container_escape_detection/include/ced_detection_points.h b/container_escape_detection/include/ced_detection_points.h index 45eb2ba..cf62cb2 100644 --- a/container_escape_detection/include/ced_detection_points.h +++ b/container_escape_detection/include/ced_detection_points.h @@ -29,7 +29,7 @@ static inline void cred_info_record(struct cred_info *info, const struct cred *c info->egid = cred->egid.val; info->fsuid = cred->fsuid.val; - memcpy(&info->cap_effective.cap[0], &cred->cap_effective.cap[0], sizeof(info->cap_effective.cap)); + memcpy(&info->cap_effective, &cred->cap_effective, sizeof(kernel_cap_t)); } struct ns_info { diff --git a/memory_security/src/hideaddr.c b/memory_security/src/hideaddr.c index c34bbcd..5d77c4e 100644 --- a/memory_security/src/hideaddr.c +++ b/memory_security/src/hideaddr.c @@ -17,6 +17,7 @@ #include "avc.h" #include "objsec.h" #include "hideaddr.h" +#include static bool is_anon_exec(struct vm_area_struct *vma) { @@ -44,8 +45,13 @@ static int hideaddr_avc_has_perm(u16 tclass, u32 requested, struct seq_file *m) u32 secid; security_cred_getsecid(task->cred, &secid); +#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)) return avc_has_perm_noaudit(&selinux_state, secid, secid, tclass, requested, AVC_STRICT, &avd); +#else + return avc_has_perm_noaudit(secid, secid, tclass, requested, + AVC_STRICT, &avd); +#endif } static void hideaddr_header_prefix(unsigned long *start, unsigned long *end, diff --git a/memory_security/src/jit_memory.c b/memory_security/src/jit_memory.c index 0fc0bee..e34b6ab 100644 --- a/memory_security/src/jit_memory.c +++ b/memory_security/src/jit_memory.c @@ -11,6 +11,7 @@ #include "jit_space_list.h" #include "avc.h" #include "objsec.h" +#include DEFINE_SPINLOCK(list_lock); @@ -25,8 +26,13 @@ static bool jit_avc_has_perm(u16 tclass, u32 requested, struct task_struct *task u32 secid; security_cred_getsecid(task->cred, &secid); +#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)) return (avc_has_perm_noaudit(&selinux_state, secid, secid, tclass, requested, AVC_STRICT, &avd) == 0); +#else + return (avc_has_perm_noaudit(secid, secid, tclass, requested, + AVC_STRICT, &avd) == 0); +#endif } void find_jit_memory(struct task_struct *task, unsigned long start, unsigned long size, int *err) -- Gitee