summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2018-09-04 23:51:36 +0300
committerPaul Moore <paul@paul-moore.com>2018-09-05 01:02:52 +0300
commit7bb185edb0306bb90029a5fa6b9cff900ffdbf4b (patch)
treeb8709f2b621346360b5c4f4bb634c0dd7ff1b515 /security
parent57361846b52bc686112da6ca5368d11210796804 (diff)
downloadlinux-7bb185edb0306bb90029a5fa6b9cff900ffdbf4b.tar.xz
selinux: fix mounting of cgroup2 under older policies
commit 901ef845fa2469c ("selinux: allow per-file labeling for cgroupfs") broke mounting of cgroup2 under older SELinux policies which lacked a genfscon rule for cgroup2. This prevents mounting of cgroup2 even when SELinux is permissive. Change the handling when there is no genfscon rule in policy to just mark the inode unlabeled and not return an error to the caller. This permits mounting and access if allowed by policy, e.g. to unconfined domains. I also considered changing the behavior of security_genfs_sid() to never return -ENOENT, but the current behavior is relied upon by other callers to perform caller-specific handling. Fixes: 901ef845fa2469c ("selinux: allow per-file labeling for cgroupfs") CC: <stable@vger.kernel.org> Reported-by: Dmitry Vyukov <dvyukov@google.com> Reported-by: Waiman Long <longman@redhat.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Tested-by: Waiman Long <longman@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ad9a9b8e9979..18b98b5e1e3c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1508,6 +1508,11 @@ static int selinux_genfs_get_sid(struct dentry *dentry,
}
rc = security_genfs_sid(&selinux_state, sb->s_type->name,
path, tclass, sid);
+ if (rc == -ENOENT) {
+ /* No match in policy, mark as unlabeled. */
+ *sid = SECINITSID_UNLABELED;
+ rc = 0;
+ }
}
free_page((unsigned long)buffer);
return rc;