selinux/stable-6.6 PR 20230914

-----BEGIN PGP SIGNATURE----- iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmUDRAUUHHBhdWxAcGF1 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXMwfw//cVR2sZxCjW6IXdYG627mL+IDMQJ3 IVfN4N1l/bwA4R+ZHLwrOMTZx7lRUoyOAMDMfvDHJnCgvbeHtuKj5mopd1HekaN9 Jga7mDQ/+moc6x6S85xI0nqzUiKEgxs7um7vLVnm+25QDHpEdGNQyDQgLmP4/OrO 3rjlpeJjDuOMrspod+9wNK1m0sqpU0I0qMUxqdqBvW1eQ7zeYej5NhV/4+6eMVHT Lb/Rbxl7PPln69rhZ8uTdSOK51OcLfUoptpw+fts6KWjaIG9VBgltygSnYh7sxk1 g+qfFZyRyLEEQu7XCFRGCo5uDPoWLvi0XBhSotW94evSpV4/F5lB/ZTBq/E8bsc3 v4Na0njg2VGwqC/K7KEa1JJ40+L8QqNolgI+Tvm68d5mgU06HEIKsUdlj+wXwmbu tMlqCtOLEfPtnO5MI9LJpyUJfJ/gbT3YUyejNfD0b75w9JnIkf0yXu1CgKDJ4bip czZUn/+xxpQoJ+gsc1c6gLgEjm7mL4tHb5dvPL/hYA//BFw/nww7hVY4Wr08Hz3l vk2QKJQYUwThXxPXhwfyYO9ItHeVJX3GYuTSEfjaZN/xqWTeTnBfpvq7A5lwdOAl SGbescaOvzIRas3x0FWIJVF35Glwx7vOU6OyQsCTcZR0B4/hRkKtvAcJ2WRFvBrf QpHfsBBUtaY8Ors= =B1mh -----END PGP SIGNATURE----- Merge tag 'selinux-pr-20230914' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux fix from Paul Moore: "A relatively small SELinux patch to fix an issue with a vfs/LSM/SELinux patch that went upstream during the recent merge window. The short version is that the original patch changed how we initialized mount options to resolve a NFS issue and we inadvertently broke a use case due to the changed behavior. The fix restores this behavior for the cases that require it while keeping the original NFS fix in place" * tag 'selinux-pr-20230914' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: fix handling of empty opts in selinux_fs_context_submount()
2023-09-15 12:38:44 -07:00 · 2023-09-15 12:38:44 -07:00 · 02e768c9fe
commit 02e768c9fe
parent 82210979f3 ccf1dab96b
1 changed files with 8 additions and 2 deletions
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@ -2775,14 +2775,20 @@ static int selinux_umount(struct vfsmount *mnt, int flags)
 static int selinux_fs_context_submount(struct fs_context *fc,
 				   struct super_block *reference)
 {
-	const struct superblock_security_struct *sbsec;
+	const struct superblock_security_struct *sbsec = selinux_superblock(reference);
 	struct selinux_mnt_opts *opts;

+	/*
+	 * Ensure that fc->security remains NULL when no options are set
+	 * as expected by selinux_set_mnt_opts().
+	 */
+	if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
+		return 0;
+
 	opts = kzalloc(sizeof(*opts), GFP_KERNEL);
 	if (!opts)
 		return -ENOMEM;

-	sbsec = selinux_superblock(reference);
 	if (sbsec->flags & FSCONTEXT_MNT)
 		opts->fscontext_sid = sbsec->sid;
 	if (sbsec->flags & CONTEXT_MNT)