GitHub-Mirror/linux-bl808
2
0
Fork 0
mirror of https://github.com/Fishwaldo/linux-bl808.git synced 2025-06-04 05:34:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

selinux: don't revalidate an inode's label when explicitly setting it

Browse source 
There is no point in attempting to revalidate an inode's security
label when we are in the process of setting it.

Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Paul Moore 2016-04-19 16:36:28 -04:00
parent 0fd71a620b
commit 2c97165bef
1 changed files with 11 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
security/selinux/hooks.c
View file

@ -297,6 +297,13 @@ static struct inode_security_struct *inode_security(struct inode *inode)
return inode->i_security; return inode->i_security;
} }
static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
{
struct inode *inode = d_backing_inode(dentry);
return inode->i_security;
}
/* /*
* Get the security label of a dentry's backing inode. * Get the security label of a dentry's backing inode.
*/ */
@ -686,7 +693,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
struct superblock_security_struct *sbsec = sb->s_security; struct superblock_security_struct *sbsec = sb->s_security;
const char *name = sb->s_type->name; const char *name = sb->s_type->name;
struct dentry *root = sbsec->sb->s_root; struct dentry *root = sbsec->sb->s_root;
struct inode_security_struct *root_isec = backing_inode_security(root); struct inode_security_struct *root_isec;
u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
u32 defcontext_sid = 0; u32 defcontext_sid = 0;
char **mount_options = opts->mnt_opts; char **mount_options = opts->mnt_opts;
@ -729,6 +736,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
&& (num_opts == 0)) && (num_opts == 0))
goto out; goto out;
root_isec = backing_inode_security_novalidate(root);
/* /*
* parse the mount options, check if they are valid sids. * parse the mount options, check if they are valid sids.
* also check if someone is trying to mount the same sb more * also check if someone is trying to mount the same sb more
@ -3222,7 +3231,7 @@ out_nofree:
static int selinux_inode_setsecurity(struct inode *inode, const char *name, static int selinux_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags) const void *value, size_t size, int flags)
{ {
struct inode_security_struct *isec = inode_security(inode); struct inode_security_struct *isec = inode_security_novalidate(inode);
u32 newsid; u32 newsid;
int rc; int rc;