[RFC,39/44] selinux: defer inode init on current selinux state

Commit Message

Stephen Smalley Jan. 2, 2025, 4:45 p.m. UTC

Previously inode_doinit_with_dentry() was only checking
sbsec->flags to see if it should defer the inode security
blob initialization, which was fine when there was only a
single SELinux state/namespace since that could only be
set if the state was initialized. However, with the
introduction of SELinux namespaces, the superblock
could be initialized in the parent (or other ancestor)
namespace but the current namespace may not yet be
initialized (i.e. the namespace was unshared but no policy
has yet been loaded into it). Add an explicit test
of selinux_initialized(current_selinux_state) to defer
initialization of the inode in this situation so that
we do not end up setting it to initialized with an
unlabeled SID prior to policy load. An alternative
would be to proceed with initialization but do it
against the parent namespace.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 security/selinux/hooks.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Patch

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 11d940fb79bd..dfc422d9c042 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1440,7 +1440,8 @@  static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
 
 	sbsec = selinux_superblock(inode->i_sb);
-	if (!(sbsec->flags & SE_SBINITIALIZED)) {
+	if (!(sbsec->flags & SE_SBINITIALIZED) ||
+		!selinux_initialized(current_selinux_state)) {
 		/* Defer initialization until selinux_complete_init,
 		   after the initial policy is loaded and the security
 		   server is ready to handle calls. */