On Wed, Oct 18, 2023 at 6:08 AM David Disseldorp <ddiss@xxxxxxx> wrote: > > Extended attribute copy-up functionality added via 19472b69d639d > ("selinux: Implementation for inode_copy_up_xattr() hook") sees > "security.selinux" contexts dropped, instead relying on contexts > applied via the inode_copy_up() hook. > > When copy-up takes place during early boot, prior to selinux > initialization / policy load, the context stripping can be unwanted > and unexpected. Make filtering dependent on selinux_initialized(). > > RFC: This changes user behaviour so is likely unacceptable. Still, > I'd be interested in hearing other suggestions for how this could be > addressed. IMHO, this is fixing a bug, only affects early userspace (pre policy load), and is likely acceptable. But Paul will make the final call. We can't introduce and use a new policy capability here because this is before policy has been loaded. > --- > security/selinux/hooks.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 2aa0e219d7217..fb3e53bb7e90c 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3527,7 +3527,7 @@ static int selinux_inode_copy_up_xattr(const char *name) > * don't then want to overwrite it by blindly copying all the lower > * xattrs up. Instead, we have to filter out SELinux-related xattrs. > */ > - if (strcmp(name, XATTR_NAME_SELINUX) == 0) > + if (selinux_initialized() && strcmp(name, XATTR_NAME_SELINUX) == 0) > return 1; /* Discard */ > /* > * Any other attribute apart from SELINUX is not claimed, supported > -- > 2.35.3