diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2019-12-01 01:55:37 +0100 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-12-01 01:55:37 +0100 |
commit | ba75082efc18ced6def42e8f85c494aa2578760e (patch) | |
tree | bb2c61dc91320f64f70ee2fba37b938ba564d86a /security/selinux/hooks.c | |
parent | Merge tag 'kgdb-5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/dan... (diff) | |
parent | selinux: default_range glblub implementation (diff) | |
download | linux-ba75082efc18ced6def42e8f85c494aa2578760e.tar.xz linux-ba75082efc18ced6def42e8f85c494aa2578760e.zip |
Merge tag 'selinux-pr-20191126' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux updates from Paul Moore:
"Only three SELinux patches for v5.5:
- Remove the size limit on SELinux policies, the limitation was a
lingering vestige and no longer necessary.
- Allow file labeling before the policy is loaded. This should ease
some of the burden when the policy is initially loaded (no need to
relabel files), but it should also help enable some new system
concepts which dynamically create the root filesystem in the
initrd.
- Add support for the "greatest lower bound" policy construct which
is defined as the intersection of the MLS range of two SELinux
labels"
* tag 'selinux-pr-20191126' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: default_range glblub implementation
selinux: allow labeling before policy is loaded
selinux: remove load size limit
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r-- | security/selinux/hooks.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 73986c1101b9..5d557318f79b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3144,6 +3144,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); } + if (!selinux_state.initialized) + return (inode_owner_or_capable(inode) ? 0 : -EPERM); + sbsec = inode->i_sb->s_security; if (!(sbsec->flags & SBLABEL_MNT)) return -EOPNOTSUPP; @@ -3227,6 +3230,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, return; } + if (!selinux_state.initialized) { + /* If we haven't even been initialized, then we can't validate + * against a policy, so leave the label as invalid. It may + * resolve to a valid label on the next revalidation try if + * we've since initialized. + */ + return; + } + rc = security_context_to_sid_force(&selinux_state, value, size, &newsid); if (rc) { |