On Wed, Oct 18, 2023 at 6:08 AM David Disseldorp <ddiss@xxxxxxx> wrote:
>
> Extended attribute copy-up functionality added via 19472b69d639d
> ("selinux: Implementation for inode_copy_up_xattr() hook") sees
> "security.selinux" contexts dropped, instead relying on contexts
> applied via the inode_copy_up() hook.
>
> When copy-up takes place during early boot, prior to selinux
> initialization / policy load, the context stripping can be unwanted
> and unexpected. Make filtering dependent on selinux_initialized().
>
> RFC: This changes user behaviour so is likely unacceptable. Still,
> I'd be interested in hearing other suggestions for how this could be
> addressed.
IMHO, this is fixing a bug, only affects early userspace (pre policy
load), and is likely acceptable.
But Paul will make the final call. We can't introduce and use a new
policy capability here because this is before policy has been loaded.
> ---
> security/selinux/hooks.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 2aa0e219d7217..fb3e53bb7e90c 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3527,7 +3527,7 @@ static int selinux_inode_copy_up_xattr(const char *name)
> * don't then want to overwrite it by blindly copying all the lower
> * xattrs up. Instead, we have to filter out SELinux-related xattrs.
> */
> - if (strcmp(name, XATTR_NAME_SELINUX) == 0)
> + if (selinux_initialized() && strcmp(name, XATTR_NAME_SELINUX) == 0)
> return 1; /* Discard */
> /*
> * Any other attribute apart from SELINUX is not claimed, supported
> --
> 2.35.3
