Commit 2c97165b authored by Paul Moore's avatar Paul Moore

selinux: don't revalidate an inode's label when explicitly setting it

There is no point in attempting to revalidate an inode's security
label when we are in the process of setting it.
Reported-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 0fd71a62
...@@ -297,6 +297,13 @@ static struct inode_security_struct *inode_security(struct inode *inode) ...@@ -297,6 +297,13 @@ static struct inode_security_struct *inode_security(struct inode *inode)
return inode->i_security; return inode->i_security;
} }
static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
{
struct inode *inode = d_backing_inode(dentry);
return inode->i_security;
}
/* /*
* Get the security label of a dentry's backing inode. * Get the security label of a dentry's backing inode.
*/ */
...@@ -686,7 +693,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, ...@@ -686,7 +693,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
struct superblock_security_struct *sbsec = sb->s_security; struct superblock_security_struct *sbsec = sb->s_security;
const char *name = sb->s_type->name; const char *name = sb->s_type->name;
struct dentry *root = sbsec->sb->s_root; struct dentry *root = sbsec->sb->s_root;
struct inode_security_struct *root_isec = backing_inode_security(root); struct inode_security_struct *root_isec;
u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
u32 defcontext_sid = 0; u32 defcontext_sid = 0;
char **mount_options = opts->mnt_opts; char **mount_options = opts->mnt_opts;
...@@ -729,6 +736,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, ...@@ -729,6 +736,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
&& (num_opts == 0)) && (num_opts == 0))
goto out; goto out;
root_isec = backing_inode_security_novalidate(root);
/* /*
* parse the mount options, check if they are valid sids. * parse the mount options, check if they are valid sids.
* also check if someone is trying to mount the same sb more * also check if someone is trying to mount the same sb more
...@@ -3222,7 +3231,7 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void ...@@ -3222,7 +3231,7 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
static int selinux_inode_setsecurity(struct inode *inode, const char *name, static int selinux_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags) const void *value, size_t size, int flags)
{ {
struct inode_security_struct *isec = inode_security(inode); struct inode_security_struct *isec = inode_security_novalidate(inode);
u32 newsid; u32 newsid;
int rc; int rc;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment