| Message ID | 20250102164509.25606-45-stephen.smalley.work@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | SELinux namespace support | expand |
On Thu, Jan 2, 2025 at 11:46 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > commit e8087cb36d3d2c6eab77 ("selinux: init inode from nearest > initialized namespace") wrongly assumed that there must be at least one > ancestor namespace that is initialized. In the case where the init > SELinux namespace was never initialized (i.e. no policy loaded on the > host), then this assumption can be false. Fix the logic to defer > initialization of the inode in that situation. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Note: I've squashed this patch, the cited commit, and its predecessor since neither of these have been merged yet and they are bug fixes to the earlier unmerged commit. Updated on my branch, https://github.com/stephensmalley/selinux-kernel/tree/working-selinuxns > --- > security/selinux/hooks.c | 15 +++++++-------- > 1 file changed, 7 insertions(+), 8 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index a6c980f9117b..da8f76707c8c 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -1441,8 +1441,14 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent > if (isec->sclass == SECCLASS_FILE) > isec->sclass = inode_mode_to_security_class(inode->i_mode); > > + /* > + * Find an initialized state to use. > + */ > + while (state && !selinux_initialized(state)) > + state = state->parent; > + > sbsec = selinux_superblock(inode->i_sb); > - if (!(sbsec->flags & SE_SBINITIALIZED)) { > + if (!state || !(sbsec->flags & SE_SBINITIALIZED)) { > /* Defer initialization until selinux_complete_init, > after the initial policy is loaded and the security > server is ready to handle calls. */ > @@ -1453,13 +1459,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent > goto out_unlock; > } > > - /* > - * Find an initialized state to use; there must be at least > - * one or else the sbsec won't have been initialized. > - */ > - while (!selinux_initialized(state)) > - state = state->parent; > - > sclass = isec->sclass; > task_sid = isec->task_sid; > sid = isec->sid; > -- > 2.47.1 >
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a6c980f9117b..da8f76707c8c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1441,8 +1441,14 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent if (isec->sclass == SECCLASS_FILE) isec->sclass = inode_mode_to_security_class(inode->i_mode); + /* + * Find an initialized state to use. + */ + while (state && !selinux_initialized(state)) + state = state->parent; + sbsec = selinux_superblock(inode->i_sb); - if (!(sbsec->flags & SE_SBINITIALIZED)) { + if (!state || !(sbsec->flags & SE_SBINITIALIZED)) { /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security server is ready to handle calls. */ @@ -1453,13 +1459,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent goto out_unlock; } - /* - * Find an initialized state to use; there must be at least - * one or else the sbsec won't have been initialized. - */ - while (!selinux_initialized(state)) - state = state->parent; - sclass = isec->sclass; task_sid = isec->task_sid; sid = isec->sid;
commit e8087cb36d3d2c6eab77 ("selinux: init inode from nearest initialized namespace") wrongly assumed that there must be at least one ancestor namespace that is initialized. In the case where the init SELinux namespace was never initialized (i.e. no policy loaded on the host), then this assumption can be false. Fix the logic to defer initialization of the inode in that situation. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> --- security/selinux/hooks.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-)