Linux Kernel SELinux Socket Permission Helper Vulnerability

A vulnerability in the Linux kernel's SELinux implementation affects socket permission handling. The issue arises because the SELinux socket state is stored in a composite LSM socket blob, and certain permission helpers currently access the socket security directly. This approach assumes that the SELinux blob is always at the beginning, which is not the case in stacked LSM configurations. If another LSM allocates socket storage before SELinux, it can lead to incorrect values being used in Access Vector Cache (AVC) checks. The vulnerability is present in the Linux kernel stable tree, specifically in versions 6.13 and later.

Impact

Exploitation of this vulnerability could result in improper socket permission handling, potentially allowing for unauthorized access or actions based on incorrect security identifiers and class values.

Reproduction

The vulnerability can be reproduced by configuring the Linux kernel with stacked LSMs, ensuring that one LSM allocates socket blob storage before SELinux. Then, use the affected socket permission helpers, sock_has_perm() or nlmsg_sock_has_extended_perms(), which will incorrectly read the socket security blob and introduce invalid values into the SELinux permission checks.

Remediation

The vulnerability has been addressed by modifying the affected permission helpers to use the correct accessor for the SELinux socket state. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.