{"id":"CVE-2021-46971","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix unconditional security_locked_down() call\n\nCurrently, the lockdown state is queried unconditionally, even though\nits result is used only if the PERF_SAMPLE_REGS_INTR bit is set in\nattr.sample_type. While that doesn't matter in case of the Lockdown LSM,\nit causes trouble with the SELinux's lockdown hook implementation.\n\nSELinux implements the locked_down hook with a check whether the current\ntask's type has the corresponding \"lockdown\" class permission\n(\"integrity\" or \"confidentiality\") allowed in the policy. This means\nthat calling the hook when the access control decision would be ignored\ngenerates a bogus permission check and audit record.\n\nFix this by checking sample_type first and only calling the hook when\nits result would be honored.","modified":"2026-03-15T22:42:43.237149Z","published":"2024-02-27T19:04:07.343Z","related":["SUSE-SU-2024:1454-1","SUSE-SU-2024:1465-1","SUSE-SU-2024:1489-1"],"references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/c7b0208ee370b89d20486fae71cd9abb759819c1"},{"type":"FIX","url":"https://git.kernel.org/stable/c/f5809ca4c311b71bfaba6d13f4e39eab0557895e"},{"type":"FIX","url":"https://git.kernel.org/stable/c/08ef1af4de5fe7de9c6d69f1e22e51b66e385d9b"},{"type":"FIX","url":"https://git.kernel.org/stable/c/4348d3b5027bc3ff6336368b6c60605d4ef8e1ce"},{"type":"FIX","url":"https://git.kernel.org/stable/c/b246759284d6a2bc5b6f1009caeeb3abce2ec9ff"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"5.4"},{"fixed":"5.4.117"}]},{"events":[{"introduced":"5.5"},{"fixed":"5.10.35"}]},{"events":[{"introduced":"5.11"},{"fixed":"5.11.19"}]},{"events":[{"introduced":"5.12"},{"fixed":"5.12.2"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-46971.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}]}