Commit 3815a245 authored Mar 05, 2019 by J. Bruce Fields Committed by Paul Moore Mar 11, 2019

security/selinux: fix SECURITY_LSM_NATIVE_LABELS on reused superblock



In the case when we're reusing a superblock, selinux_sb_clone_mnt_opts()
fails to set set_kern_flags, with the result that
nfs_clone_sb_security() incorrectly clears NFS_CAP_SECURITY_LABEL.

The result is that if you mount the same NFS filesystem twice, NFS
security labels are turned off, even if they would work fine if you
mounted the filesystem only once.

("fixes" may be not exactly the right tag, it may be more like
"fixed-other-cases-but-missed-this-one".)

Cc: Scott Mayhew <smayhew@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 0b4d3452 "security/selinux: allow security_sb_clone_mnt_opts..."
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>

parent 292c997a

security/selinux/hooks.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -981,8 +981,11 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
		BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));

		/* if fs is reusing a sb, make sure that the contexts match */
		if (newsbsec->flags & SE_SBINITIALIZED)
		if (newsbsec->flags & SE_SBINITIALIZED) {
		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
		*set_kern_flags \|= SECURITY_LSM_NATIVE_LABELS;
		return selinux_cmp_sb_context(oldsb, newsb);
		}

		mutex_lock(&newsbsec->lock);

Admin message