diff options
| author | Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com> | 2020-10-01 16:20:39 +0000 |
|---|---|---|
| committer | Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com> | 2020-10-01 16:20:39 +0000 |
| commit | 84f1815a7d440786a7eee447a173864229ca8ef4 (patch) | |
| tree | 037fa9b325765e44712dab8b2cb7067daed2e8f7 /security | |
| parent | 11f569dee0a848f60d01aa92d54334802d3d5c14 (diff) | |
| parent | a9518c1aec5b6a8e1a04bbd54e6ba9725ef0db4c (diff) | |
Merge tag 'v5.4.69' into 5.4-2.1.x-imx
This is the 5.4.69 stable release
Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/device_cgroup.c | 3 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 12 | ||||
| -rw-r--r-- | security/selinux/selinuxfs.c | 1 |
3 files changed, 15 insertions, 1 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 725674f3276d..5d7bb91c6487 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -352,7 +352,8 @@ static bool match_exception_partial(struct list_head *exceptions, short type, { struct dev_exception_item *ex; - list_for_each_entry_rcu(ex, exceptions, list) { + list_for_each_entry_rcu(ex, exceptions, list, + lockdep_is_held(&devcgroup_mutex)) { if ((type & DEVCG_DEV_BLOCK) && !(ex->type & DEVCG_DEV_BLOCK)) continue; if ((type & DEVCG_DEV_CHAR) && !(ex->type & DEVCG_DEV_CHAR)) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 552e73d90fd2..212f48025db8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3156,6 +3156,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); } + if (!selinux_state.initialized) + return (inode_owner_or_capable(inode) ? 0 : -EPERM); + sbsec = inode->i_sb->s_security; if (!(sbsec->flags & SBLABEL_MNT)) return -EOPNOTSUPP; @@ -3239,6 +3242,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, return; } + if (!selinux_state.initialized) { + /* If we haven't even been initialized, then we can't validate + * against a policy, so leave the label as invalid. It may + * resolve to a valid label on the next revalidation try if + * we've since initialized. + */ + return; + } + rc = security_context_to_sid_force(&selinux_state, value, size, &newsid); if (rc) { diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index e6c7643c3fc0..e9eaff90cbcc 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -1508,6 +1508,7 @@ static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx) *idx = cpu + 1; return &per_cpu(avc_cache_stats, cpu); } + (*idx)++; return NULL; } |