selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling

stable inclusion from stable-5.10.4 commit 6e5ea342fc652573d29adcdeb805081dd7253e67 bugzilla: 46903 -------------------------------- [ Upstream commit 200ea5a2 ] A previous fix, commit 83370b31 ("selinux: fix error initialization in inode_doinit_with_dentry()"), changed how failures were handled before a SELinux policy was loaded. Unfortunately that patch was potentially problematic for two reasons: it set the isec->initialized state without holding a lock, and it didn't set the inode's SELinux label to the "default" for the particular filesystem. The later can be a problem if/when a later attempt to revalidate the inode fails and SELinux reverts to the existing inode label. This patch should restore the default inode labeling that existed before the original fix, without affecting the LABEL_INVALID marking such that revalidation will still be attempted in the future. Fixes: 83370b31 ("selinux: fix error initialization in inode_doinit_with_dentry()") Reported-by: N Sven Schnelle <svens@linux.ibm.com> Tested-by: N Sven Schnelle <svens@linux.ibm.com> Reviewed-by: N Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: N Paul Moore <paul@paul-moore.com> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>

selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling
stable inclusion from stable-5.10.4 commit 6e5ea342fc652573d29adcdeb805081dd7253e67 bugzilla: 46903 -------------------------------- [ Upstream commit 200ea5a2 ] A previous fix, commit 83370b31 ("selinux: fix error initialization in inode_doinit_with_dentry()"), changed how failures were handled before a SELinux policy was loaded. Unfortunately that patch was potentially problematic for two reasons: it set the isec->initialized state without holding a lock, and it didn't set the inode's SELinux label to the "default" for the particular filesystem. The later can be a problem if/when a later attempt to revalidate the inode fails and SELinux reverts to the existing inode label. This patch should restore the default inode labeling that existed before the original fix, without affecting the LABEL_INVALID marking such that revalidation will still be attempted in the future. Fixes: 83370b31 ("selinux: fix error initialization in inode_doinit_with_dentry()") Reported-by: N Sven Schnelle <svens@linux.ibm.com> Tested-by: N Sven Schnelle <svens@linux.ibm.com> Reviewed-by: N Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: N Paul Moore <paul@paul-moore.com> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>
1956f2c2 · Paul Moore · Xie XiuQi · 9d2fda2c · 1956f2c2
隐藏空白更改
内联并排

Showing with 13 addition and 18 deletion

security/selinux/hooks.c security/selinux/hooks.c +13 -18

未找到文件。
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1451,13 +1451,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 			 * inode_doinit with a dentry, before these inodes could
 			 * be used again by userspace.
 			 */
-			isec->initialized = LABEL_INVALID;
+			goto out_invalid;
-			/*
-			 * There is nothing useful to jump to the "out"
-			 * label, except a needless spin lock/unlock
-			 * cycle.
-			 */
-			return 0;
 		}
 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
@@ -1513,15 +1507,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 			 * inode_doinit() with a dentry, before these inodes
 			 * could be used again by userspace.
 			 */
-			if (!dentry) {
+			if (!dentry)
-				isec->initialized = LABEL_INVALID;
+				goto out_invalid;
-				/*
-				 * There is nothing useful to jump to the "out"
-				 * label, except a needless spin lock/unlock
-				 * cycle.
-				 */
-				return 0;
-			}
 			rc = selinux_genfs_get_sid(dentry, sclass,
 						   sbsec->flags, &sid);
 			if (rc) {
@@ -1546,11 +1533,10 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 out:
 	spin_lock(&isec->lock);
 	if (isec->initialized == LABEL_PENDING) {
-		if (!sid || rc) {
+		if (rc) {
 			isec->initialized = LABEL_INVALID;
 			goto out_unlock;
 		}
 		isec->initialized = LABEL_INITIALIZED;
 		isec->sid = sid;
 	}
@@ -1558,6 +1544,15 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 out_unlock:
 	spin_unlock(&isec->lock);
 	return rc;
+out_invalid:
+	spin_lock(&isec->lock);
+	if (isec->initialized == LABEL_PENDING) {
+		isec->initialized = LABEL_INVALID;
+		isec->sid = sid;
+	}
+	spin_unlock(&isec->lock);
+	return 0;
 }
 /* Convert a Linux signal to an access vector. */