1 files changed, 31 insertions, 9 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f08a0f201967..f8931c5d252a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -534,16 +534,10 @@ static int may_context_mount_inode_relabel(u32 sid,
        return rc;
 }
-static int selinux_is_sblabel_mnt(struct super_block *sb)
+static int selinux_is_genfs_special_handling(struct super_block *sb)
 {
-        struct superblock_security_struct *sbsec = sb->s_security;
+        /* Special handling. Genfs but also in-core setxattr handler */
+        return  !strcmp(sb->s_type->name, "sysfs") ||
-        return sbsec->behavior == SECURITY_FS_USE_XATTR ||
-                sbsec->behavior == SECURITY_FS_USE_TRANS ||
-                sbsec->behavior == SECURITY_FS_USE_TASK ||
-                sbsec->behavior == SECURITY_FS_USE_NATIVE ||
-                /* Special handling. Genfs but also in-core setxattr handler */
-                !strcmp(sb->s_type->name, "sysfs") ||
                !strcmp(sb->s_type->name, "pstore") ||
                !strcmp(sb->s_type->name, "debugfs") ||
                !strcmp(sb->s_type->name, "tracefs") ||
@@ -553,6 +547,34 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
                  !strcmp(sb->s_type->name, "cgroup2")));
 }
+static int selinux_is_sblabel_mnt(struct super_block *sb)
+{
+        struct superblock_security_struct *sbsec = sb->s_security;
+        /*
+         * IMPORTANT: Double-check logic in this function when adding a new
+         * SECURITY_FS_USE_* definition!
+         */
+        BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
+        switch (sbsec->behavior) {
+        case SECURITY_FS_USE_XATTR:
+        case SECURITY_FS_USE_TRANS:
+        case SECURITY_FS_USE_TASK:
+        case SECURITY_FS_USE_NATIVE:
+                return 1;
+        case SECURITY_FS_USE_GENFS:
+                return selinux_is_genfs_special_handling(sb);
+        /* Never allow relabeling on context mounts */
+        case SECURITY_FS_USE_MNTPOINT:
+        case SECURITY_FS_USE_NONE:
+        default:
+                return 0;
+        }
+}
 static int sb_finish_set_opts(struct super_block *sb)
 {
        struct superblock_security_struct *sbsec = sb->s_security;

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f08a0f201967..f8931c5d252a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -534,16 +534,10 @@ static int may_context_mount_inode_relabel(u32 sid,
534	return rc;	534	return rc;
535	}	535	}
536		536
537	static int selinux_is_sblabel_mnt(struct super_block *sb)	537	static int selinux_is_genfs_special_handling(struct super_block *sb)
538	{	538	{
539	struct superblock_security_struct *sbsec = sb->s_security;	539	/* Special handling. Genfs but also in-core setxattr handler */
540		540	return !strcmp(sb->s_type->name, "sysfs") \|\|
541	return sbsec->behavior == SECURITY_FS_USE_XATTR \|\|
542	sbsec->behavior == SECURITY_FS_USE_TRANS \|\|
543	sbsec->behavior == SECURITY_FS_USE_TASK \|\|
544	sbsec->behavior == SECURITY_FS_USE_NATIVE \|\|
545	/* Special handling. Genfs but also in-core setxattr handler */
546	!strcmp(sb->s_type->name, "sysfs") \|\|
547	!strcmp(sb->s_type->name, "pstore") \|\|	541	!strcmp(sb->s_type->name, "pstore") \|\|
548	!strcmp(sb->s_type->name, "debugfs") \|\|	542	!strcmp(sb->s_type->name, "debugfs") \|\|
549	!strcmp(sb->s_type->name, "tracefs") \|\|	543	!strcmp(sb->s_type->name, "tracefs") \|\|
@@ -553,6 +547,34 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
553	!strcmp(sb->s_type->name, "cgroup2")));	547	!strcmp(sb->s_type->name, "cgroup2")));
554	}	548	}
555		549
		550	static int selinux_is_sblabel_mnt(struct super_block *sb)
		551	{
		552	struct superblock_security_struct *sbsec = sb->s_security;
		553
		554	/*
		555	* IMPORTANT: Double-check logic in this function when adding a new
		556	* SECURITY_FS_USE_* definition!
		557	*/
		558	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
		559
		560	switch (sbsec->behavior) {
		561	case SECURITY_FS_USE_XATTR:
		562	case SECURITY_FS_USE_TRANS:
		563	case SECURITY_FS_USE_TASK:
		564	case SECURITY_FS_USE_NATIVE:
		565	return 1;
		566
		567	case SECURITY_FS_USE_GENFS:
		568	return selinux_is_genfs_special_handling(sb);
		569
		570	/* Never allow relabeling on context mounts */
		571	case SECURITY_FS_USE_MNTPOINT:
		572	case SECURITY_FS_USE_NONE:
		573	default:
		574	return 0;
		575	}
		576	}
		577
556	static int sb_finish_set_opts(struct super_block *sb)	578	static int sb_finish_set_opts(struct super_block *sb)
557	{	579	{
558	struct superblock_security_struct *sbsec = sb->s_security;	580	struct superblock_security_struct *sbsec = sb->s_security;