1 files changed, 35 insertions, 21 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b332e2cc0954..d58946dca8c9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1418,15 +1418,33 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                isec->sid = sbsec->sid;
                if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
-                        if (opt_dentry) {
+                        /* We must have a dentry to determine the label on
-                                isec->sclass = inode_mode_to_security_class(inode->i_mode);
+                         * procfs inodes */
-                                rc = selinux_proc_get_sid(opt_dentry,
+                        if (opt_dentry)
-                                                          isec->sclass,
+                                /* Called from d_instantiate or
-                                                          &sid);
+                                 * d_splice_alias. */
-                                if (rc)
+                                dentry = dget(opt_dentry);
-                                        goto out_unlock;
+                        else
-                                isec->sid = sid;
+                                /* Called from selinux_complete_init, try to
-                        }
+                                 * find a dentry. */
+                                dentry = d_find_alias(inode);
+                        /*
+                         * This can be hit on boot when a file is accessed
+                         * before the policy is loaded.  When we load policy we
+                         * may find inodes that have no dentry on the
+                         * sbsec->isec_head list.  No reason to complain as
+                         * these will get fixed up the next time we go through
+                         * inode_doinit() with a dentry, before these inodes
+                         * could be used again by userspace.
+                         */
+                        if (!dentry)
+                                goto out_unlock;
+                        isec->sclass = inode_mode_to_security_class(inode->i_mode);
+                        rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
+                        dput(dentry);
+                        if (rc)
+                                goto out_unlock;
+                        isec->sid = sid;
                }
                break;
        }
@@ -3205,24 +3223,20 @@ error:
 static int selinux_mmap_addr(unsigned long addr)
 {
-        int rc = 0;
+        int rc;
-        u32 sid = current_sid();
+        /* do DAC check on address space usage */
+        rc = cap_mmap_addr(addr);
+        if (rc)
+                return rc;
-        /*
-         * notice that we are intentionally putting the SELinux check before
-         * the secondary cap_file_mmap check.  This is such a likely attempt
-         * at bad behaviour/exploit that we always want to get the AVC, even
-         * if DAC would have also denied the operation.
-         */
        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
+                u32 sid = current_sid();
                rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
                                  MEMPROTECT__MMAP_ZERO, NULL);
-                if (rc)
-                        return rc;
        }
-        /* do DAC check on address space usage */
+        return rc;
-        return cap_mmap_addr(addr);
 }
 static int selinux_mmap_file(struct file *file, unsigned long reqprot,

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b332e2cc0954..d58946dca8c9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -1418,15 +1418,33 @@ static int inode_doinit_with_dentry(struct inode inode, struct dentry opt_dent
1418	isec->sid = sbsec->sid;	1418	isec->sid = sbsec->sid;
1419		1419
1420	if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {	1420	if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1421	if (opt_dentry) {	1421	/* We must have a dentry to determine the label on
1422	isec->sclass = inode_mode_to_security_class(inode->i_mode);	1422	* procfs inodes */
1423	rc = selinux_proc_get_sid(opt_dentry,	1423	if (opt_dentry)
1424	isec->sclass,	1424	/* Called from d_instantiate or
1425	&sid);	1425	* d_splice_alias. */
1426	if (rc)	1426	dentry = dget(opt_dentry);
1427	goto out_unlock;	1427	else
1428	isec->sid = sid;	1428	/* Called from selinux_complete_init, try to
1429	}	1429	* find a dentry. */
		1430	dentry = d_find_alias(inode);
		1431	/*
		1432	* This can be hit on boot when a file is accessed
		1433	* before the policy is loaded. When we load policy we
		1434	* may find inodes that have no dentry on the
		1435	* sbsec->isec_head list. No reason to complain as
		1436	* these will get fixed up the next time we go through
		1437	* inode_doinit() with a dentry, before these inodes
		1438	* could be used again by userspace.
		1439	*/
		1440	if (!dentry)
		1441	goto out_unlock;
		1442	isec->sclass = inode_mode_to_security_class(inode->i_mode);
		1443	rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
		1444	dput(dentry);
		1445	if (rc)
		1446	goto out_unlock;
		1447	isec->sid = sid;
1430	}	1448	}
1431	break;	1449	break;
1432	}	1450	}
@@ -3205,24 +3223,20 @@ error:
3205		3223
3206	static int selinux_mmap_addr(unsigned long addr)	3224	static int selinux_mmap_addr(unsigned long addr)
3207	{	3225	{
3208	int rc = 0;	3226	int rc;
3209	u32 sid = current_sid();	3227
		3228	/* do DAC check on address space usage */
		3229	rc = cap_mmap_addr(addr);
		3230	if (rc)
		3231	return rc;
3210		3232
3211	/*
3212	* notice that we are intentionally putting the SELinux check before
3213	* the secondary cap_file_mmap check. This is such a likely attempt
3214	* at bad behaviour/exploit that we always want to get the AVC, even
3215	* if DAC would have also denied the operation.
3216	*/
3217	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {	3233	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
		3234	u32 sid = current_sid();
3218	rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,	3235	rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3219	MEMPROTECT__MMAP_ZERO, NULL);	3236	MEMPROTECT__MMAP_ZERO, NULL);
3220	if (rc)
3221	return rc;
3222	}	3237	}
3223		3238
3224	/* do DAC check on address space usage */	3239	return rc;
3225	return cap_mmap_addr(addr);
3226	}	3240	}
3227		3241
3228	static int selinux_mmap_file(struct file *file, unsigned long reqprot,	3242	static int selinux_mmap_file(struct file *file, unsigned long reqprot,