selinux: revert "stop passing MAY_NOT_BLOCK to the AVC upon follow_link"

This reverts commit e46e01eebbbc ("selinux: stop passing MAY_NOT_BLOCK to the AVC upon follow_link"). The correct fix is to instead fall back to ref-walk if audit is required irrespective of the specific audit data type. This is done in the next commit. Fixes: e46e01eebbbc ("selinux: stop passing MAY_NOT_BLOCK to the AVC upon follow_link") Reported-by: Will Deacon <will@kernel.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Stephen Smalley <sds@tycho.nsa.gov> 2019-11-22 20:22:44 +0300
committer: Paul Moore <paul@paul-moore.com> 2019-12-10 02:28:56 +0300
commit: 1a37079c236d55fb31ebbf4b59945dab8ec8764c (patch)
tree: 7981c80629949905c03d4ca9618c6448e0983236 /security/selinux/hooks.c
parent: 59438b46471ae6cdfb761afc8c9beaf1e428a331 (diff)
download: linux-1a37079c236d55fb31ebbf4b59945dab8ec8764c.tar.xz
1 files changed, 3 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9e1c4780dc20..ed64cb4cd4c5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3004,8 +3004,9 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
 	if (IS_ERR(isec))
 		return PTR_ERR(isec);
 
-	return avc_has_perm(&selinux_state,
-			    sid, isec->sid, isec->sclass, FILE__READ, &ad);
+	return avc_has_perm_flags(&selinux_state,
+				  sid, isec->sid, isec->sclass, FILE__READ, &ad,
+				  rcu ? MAY_NOT_BLOCK : 0);
 }
 
 static noinline int audit_inode_permission(struct inode *inode,
author	Stephen Smalley <sds@tycho.nsa.gov>	2019-11-22 20:22:44 +0300
committer	Paul Moore <paul@paul-moore.com>	2019-12-10 02:28:56 +0300
commit	1a37079c236d55fb31ebbf4b59945dab8ec8764c (patch)
tree	7981c80629949905c03d4ca9618c6448e0983236 /security/selinux/hooks.c
parent	59438b46471ae6cdfb761afc8c9beaf1e428a331 (diff)
download	linux-1a37079c236d55fb31ebbf4b59945dab8ec8764c.tar.xz