summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@redhat.com>2019-03-06 00:17:58 +0300
committerPaul Moore <paul@paul-moore.com>2019-03-11 23:13:17 +0300
commit3815a245b50124f0865415dcb606a034e97494d4 (patch)
tree9a06379fc9d4b301570e75f209ce5d82e7421153 /security
parent292c997a1970f8d1e1dfa354ed770a22f7b5a434 (diff)
downloadlinux-3815a245b50124f0865415dcb606a034e97494d4.tar.xz
security/selinux: fix SECURITY_LSM_NATIVE_LABELS on reused superblock
In the case when we're reusing a superblock, selinux_sb_clone_mnt_opts() fails to set set_kern_flags, with the result that nfs_clone_sb_security() incorrectly clears NFS_CAP_SECURITY_LABEL. The result is that if you mount the same NFS filesystem twice, NFS security labels are turned off, even if they would work fine if you mounted the filesystem only once. ("fixes" may be not exactly the right tag, it may be more like "fixed-other-cases-but-missed-this-one".) Cc: Scott Mayhew <smayhew@redhat.com> Cc: stable@vger.kernel.org Fixes: 0b4d3452b8b4 "security/selinux: allow security_sb_clone_mnt_opts..." Signed-off-by: J. Bruce Fields <bfields@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3745922c7132..0fe5ed8c33a0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -981,8 +981,11 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
/* if fs is reusing a sb, make sure that the contexts match */
- if (newsbsec->flags & SE_SBINITIALIZED)
+ if (newsbsec->flags & SE_SBINITIALIZED) {
+ if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
+ *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
return selinux_cmp_sb_context(oldsb, newsb);
+ }
mutex_lock(&newsbsec->lock);