diff options
| author | Paul Moore <paul@paul-moore.com> | 2016-04-19 16:36:28 -0400 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2016-04-19 16:36:28 -0400 |
| commit | 2c97165befb487c0dc8b25d39f457d0d91d22a6f (patch) | |
| tree | 86eacae3ab34a8f15d3d1eae178da47c245d4b6c /security | |
| parent | 0fd71a620be8648486a126fccadf9f7c2a818676 (diff) | |
selinux: don't revalidate an inode's label when explicitly setting it
There is no point in attempting to revalidate an inode's security
label when we are in the process of setting it.
Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/hooks.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fce7dc81f2d9..f8ecc0a3c0fa 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -297,6 +297,13 @@ static struct inode_security_struct *inode_security(struct inode *inode) | |||
| 297 | return inode->i_security; | 297 | return inode->i_security; |
| 298 | } | 298 | } |
| 299 | 299 | ||
| 300 | static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) | ||
| 301 | { | ||
| 302 | struct inode *inode = d_backing_inode(dentry); | ||
| 303 | |||
| 304 | return inode->i_security; | ||
| 305 | } | ||
| 306 | |||
| 300 | /* | 307 | /* |
| 301 | * Get the security label of a dentry's backing inode. | 308 | * Get the security label of a dentry's backing inode. |
| 302 | */ | 309 | */ |
| @@ -686,7 +693,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
| 686 | struct superblock_security_struct *sbsec = sb->s_security; | 693 | struct superblock_security_struct *sbsec = sb->s_security; |
| 687 | const char *name = sb->s_type->name; | 694 | const char *name = sb->s_type->name; |
| 688 | struct dentry *root = sbsec->sb->s_root; | 695 | struct dentry *root = sbsec->sb->s_root; |
| 689 | struct inode_security_struct *root_isec = backing_inode_security(root); | 696 | struct inode_security_struct *root_isec; |
| 690 | u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; | 697 | u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; |
| 691 | u32 defcontext_sid = 0; | 698 | u32 defcontext_sid = 0; |
| 692 | char **mount_options = opts->mnt_opts; | 699 | char **mount_options = opts->mnt_opts; |
| @@ -729,6 +736,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
| 729 | && (num_opts == 0)) | 736 | && (num_opts == 0)) |
| 730 | goto out; | 737 | goto out; |
| 731 | 738 | ||
| 739 | root_isec = backing_inode_security_novalidate(root); | ||
| 740 | |||
| 732 | /* | 741 | /* |
| 733 | * parse the mount options, check if they are valid sids. | 742 | * parse the mount options, check if they are valid sids. |
| 734 | * also check if someone is trying to mount the same sb more | 743 | * also check if someone is trying to mount the same sb more |
| @@ -3222,7 +3231,7 @@ out_nofree: | |||
| 3222 | static int selinux_inode_setsecurity(struct inode *inode, const char *name, | 3231 | static int selinux_inode_setsecurity(struct inode *inode, const char *name, |
| 3223 | const void *value, size_t size, int flags) | 3232 | const void *value, size_t size, int flags) |
| 3224 | { | 3233 | { |
| 3225 | struct inode_security_struct *isec = inode_security(inode); | 3234 | struct inode_security_struct *isec = inode_security_novalidate(inode); |
| 3226 | u32 newsid; | 3235 | u32 newsid; |
| 3227 | int rc; | 3236 | int rc; |
| 3228 | 3237 | ||