diff options
| author |   Stephen Smalley <sds@tycho.nsa.gov> | 2019-11-22 12:22:44 -0500 |
|---|---|---|
| committer |   Paul Moore <paul@paul-moore.com> | 2019-12-09 18:28:56 -0500 |
| commit | 1a37079c236d55fb31ebbf4b59945dab8ec8764c (patch) | |
| tree | 7981c80629949905c03d4ca9618c6448e0983236 /security/selinux/hooks.c | |
| parent | security,lockdown,selinux: implement SELinux lockdown (diff) | |
| download | linux-dev-1a37079c236d55fb31ebbf4b59945dab8ec8764c.tar.xz linux-dev-1a37079c236d55fb31ebbf4b59945dab8ec8764c.zip | |
selinux: revert "stop passing MAY_NOT_BLOCK to the AVC upon follow_link"
This reverts commit e46e01eebbbc ("selinux: stop passing MAY_NOT_BLOCK
to the AVC upon follow_link"). The correct fix is to instead fall
back to ref-walk if audit is required irrespective of the specific
audit data type. This is done in the next commit.
Fixes: e46e01eebbbc ("selinux: stop passing MAY_NOT_BLOCK to the AVC upon follow_link")
Reported-by: Will Deacon <will@kernel.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to '')
| -rw-r--r-- | security/selinux/hooks.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9e1c4780dc20..ed64cb4cd4c5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3004,8 +3004,9 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, if (IS_ERR(isec)) return PTR_ERR(isec); - return avc_has_perm(&selinux_state, - sid, isec->sid, isec->sclass, FILE__READ, &ad); + return avc_has_perm_flags(&selinux_state, + sid, isec->sid, isec->sclass, FILE__READ, &ad, + rcu ? MAY_NOT_BLOCK : 0); } static noinline int audit_inode_permission(struct inode *inode, |