On Wed, Oct 28, 2015 at 7:56 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 10/28/2015 01:31 PM, Stephen Smalley wrote: >> >> On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote: >>> >>> On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> >>> wrote: >>>> >>>> On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: >>>>> >>>>> >>>>> Use path_has_perm directly instead. >>>> >>>> >>>> >>>> This reverts: >>>> >>>> commit 13f8e9810bff12d01807b6f92329111f45218235 >>>> Author: David Howells <dhowells@xxxxxxxxxx> >>>> Date: Thu Jun 13 23:37:55 2013 +0100 >>>> >>>> SELinux: Institute file_path_has_perm() >>>> >>>> Create a file_path_has_perm() function that is like path_has_perm() >>>> but >>>> instead takes a file struct that is the source of both the path and >>>> the >>>> inode (rather than getting the inode from the dentry in the path). >>>> This >>>> is then used where appropriate. >>>> >>>> This will be useful for situations like unionmount where it will be >>>> possible to have an apparently-negative dentry (eg. a fallthrough) >>>> that >>>> is >>>> open with the file struct pointing to an inode on the lower fs. >>>> >>>> Signed-off-by: David Howells <dhowells@xxxxxxxxxx> >>>> Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> >>>> >>>> which I think David was intending to use as part of his >>>> SELinux/overlayfs >>>> support. >>> >>> >>> Okay. As long as overlayfs support in SELinux is in half-finished >>> state, let's leave this alone. >> >> >> Also, the caller is holding a spinlock (tty_files_lock), so you can't call >> inode_doinit from >> here. >> >> Try stress testing your patch series by just always setting >> isec->initialized to LABEL_INVALID. >> Previously the *has_perm functions could be called under essentially any >> condition, with the exception >> of when in a RCU walk and needing to audit the dname (but they did not >> previously block/sleep). Using might_sleep() is even better, then CONFIG_DEBUG_ATOMIC_SLEEP will catch any remaining problems. > file_has_perm() also gets called from match_file() callback to iterate_fd(), > which holds files->file_lock. Yes, thanks. Andreas _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
