On Thu, Oct 29, 2015 at 12:52 PM, Andreas Gruenbacher <agruenba@xxxxxxxxxx> wrote: > On Thu, Oct 29, 2015 at 4:21 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote: >>> >>> When fetching an inode's security label, check if it is still valid, and >>> try reloading it if it is not. Reloading will fail when we are in RCU >>> context which doesn't allow sleeping, or when we can't find a dentry for >>> the inode. (Reloading happens via iop->getxattr which takes a dentry >>> parameter.) When reloading fails, continue using the old, invalid >>> label. >>> >>> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx> >> >> >> Could probably use inode_security_novalidate() for all of the SOCK_INODE() >> cases, right? > > I guess, yes. There is no time like the present. All the patches look fine to me, but I think it would be good to add the additional inode_security_novalidate() calls. If you want, you can just post a "8/7" patch with the extra calls added and I'll apply that on top of the v4 patchset. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
