On Tue, Mar 13, 2018 at 12:12:51PM +1100, NeilBrown wrote:
> > * selinux inode_doinit_with_dentry() (two call sites, very alike)
>
> I'm less sure about this one, but I think it probably wants
> d_find_any_alias() as well. Like cap_inode_getsecurity() it only wants
> a dentry so that it can pass something to __vfs_getxattr(),
> and that only wants a dentry so it can pass something to ->get.
>
> Possibly we should rename d_find_alias() to d_find_hashed_alias() so that
> people need to make a conscious choice between d_find_hashed_alias() and
> d_find_any_alias() ??
FWIW, it *is* a bug; this
/*
* this is can be hit on boot when a file is accessed
* before the policy is loaded. When we load policy we
* may find inodes that have no dentry on the
* sbsec->isec_head list. No reason to complain as these
* will get fixed up the next time we go through
* inode_doinit with a dentry, before these inodes could
* be used again by userspace.
*/
in selinux/hooks.c is flat-out wrong now. Sure, if you first load selinux
policy after exporting something over NFS or letting attacker play with
open-by-fhandle, you are past any help, but still...
I disagree about going for d_find_any_alias() from the very beginning, BTW -
we need to try it in case of d_find_alias() failure, but sufficiently crappy
filesystem can bloody well fail to access xattrs via disconnected dentry.
