summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorPaul Moore <paul@paul-moore.com>2016-04-19 22:36:28 +0200
committerPaul Moore <paul@paul-moore.com>2016-04-19 22:36:28 +0200
commit2c97165befb487c0dc8b25d39f457d0d91d22a6f (patch)
tree86eacae3ab34a8f15d3d1eae178da47c245d4b6c /security
parentselinux: Change bool variable name to index. (diff)
downloadlinux-2c97165befb487c0dc8b25d39f457d0d91d22a6f.tar.xz
linux-2c97165befb487c0dc8b25d39f457d0d91d22a6f.zip
selinux: don't revalidate an inode's label when explicitly setting it
There is no point in attempting to revalidate an inode's security label when we are in the process of setting it. Reported-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index fce7dc81f2d9..f8ecc0a3c0fa 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -297,6 +297,13 @@ static struct inode_security_struct *inode_security(struct inode *inode)
return inode->i_security;
}
+static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
+{
+ struct inode *inode = d_backing_inode(dentry);
+
+ return inode->i_security;
+}
+
/*
* Get the security label of a dentry's backing inode.
*/
@@ -686,7 +693,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
struct superblock_security_struct *sbsec = sb->s_security;
const char *name = sb->s_type->name;
struct dentry *root = sbsec->sb->s_root;
- struct inode_security_struct *root_isec = backing_inode_security(root);
+ struct inode_security_struct *root_isec;
u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
u32 defcontext_sid = 0;
char **mount_options = opts->mnt_opts;
@@ -729,6 +736,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
&& (num_opts == 0))
goto out;
+ root_isec = backing_inode_security_novalidate(root);
+
/*
* parse the mount options, check if they are valid sids.
* also check if someone is trying to mount the same sb more
@@ -3222,7 +3231,7 @@ out_nofree:
static int selinux_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags)
{
- struct inode_security_struct *isec = inode_security(inode);
+ struct inode_security_struct *isec = inode_security_novalidate(inode);
u32 newsid;
int rc;