diff options
author | Paul Moore <paul@paul-moore.com> | 2016-04-19 16:36:28 -0400 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2016-04-19 16:36:28 -0400 |
commit | 2c97165befb487c0dc8b25d39f457d0d91d22a6f (patch) | |
tree | 86eacae3ab34a8f15d3d1eae178da47c245d4b6c /security | |
parent | 0fd71a620be8648486a126fccadf9f7c2a818676 (diff) | |
download | op-kernel-dev-2c97165befb487c0dc8b25d39f457d0d91d22a6f.zip op-kernel-dev-2c97165befb487c0dc8b25d39f457d0d91d22a6f.tar.gz |
selinux: don't revalidate an inode's label when explicitly setting it
There is no point in attempting to revalidate an inode's security
label when we are in the process of setting it.
Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fce7dc8..f8ecc0a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -297,6 +297,13 @@ static struct inode_security_struct *inode_security(struct inode *inode) return inode->i_security; } +static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) +{ + struct inode *inode = d_backing_inode(dentry); + + return inode->i_security; +} + /* * Get the security label of a dentry's backing inode. */ @@ -686,7 +693,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, struct superblock_security_struct *sbsec = sb->s_security; const char *name = sb->s_type->name; struct dentry *root = sbsec->sb->s_root; - struct inode_security_struct *root_isec = backing_inode_security(root); + struct inode_security_struct *root_isec; u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; u32 defcontext_sid = 0; char **mount_options = opts->mnt_opts; @@ -729,6 +736,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, && (num_opts == 0)) goto out; + root_isec = backing_inode_security_novalidate(root); + /* * parse the mount options, check if they are valid sids. * also check if someone is trying to mount the same sb more @@ -3222,7 +3231,7 @@ out_nofree: static int selinux_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) { - struct inode_security_struct *isec = inode_security(inode); + struct inode_security_struct *isec = inode_security_novalidate(inode); u32 newsid; int rc; |