Skip to content

GitLab

Switch branch/tag
History Find file
Clone
selinux: correctly label /proc inodes in use before the policy is loaded
Paul Moore authored 
commit f64410ec upstream.

This patch is based on an earlier patch by Eric Paris, he describes
the problem below:

  "If an inode is accessed before policy load it will get placed on a
   list of inodes to be initialized after policy load.  After policy
   load we call inode_doinit() which calls inode_doinit_with_dentry()
   on all inodes accessed before policy load.  In the case of inodes
   in procfs that means we'll end up at the bottom where it does:

     /* Default to the fs superblock SID. */
     isec->sid = sbsec->sid;

     if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
             if (opt_dentry) {
                     isec->sclass = inode_mode_to_security_class(...)
                     rc = selinux_proc_get_sid(opt_dentry,
                                               isec->sclass,
                                               &sid);
                     if (rc)
          ...
23a5a7a2
Name Last commit Last update
..
apparmor lsm_audit: don't specify the audit pre/post callbacks in 'struct common_audit_data'
integrity Revert "ima: policy for RAMFS"
keys key: Fix resource leak
selinux selinux: correctly label /proc inodes in use before the policy is loaded
smack Smack: move label list initialization
tomoyo usermodehelper: use UMH_WAIT_PROC consistently
yama Yama: handle 32-bit userspace prctl
Kconfig security: Yama LSM
Makefile security: Yama LSM
capability.c security: create task_free security callback
commoncap.c security: fix compile error in commoncap.c
device_cgroup.c cgroup: remove cgroup_subsys argument from callbacks
inode.c securityfs: fix object creation races
lsm_audit.c lsm_audit: don't specify the audit pre/post callbacks in 'struct common_audit_data'
min_addr.c mmap_min_addr check CAP_SYS_RAWIO only for write
security.c security: trim security.h