On Fri, Jan 26, 2024 at 5:44 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > The inode_getsecctx LSM hook has previously been corrected to have > -EOPNOTSUPP instead of 0 as the default return value to fix BPF LSM > behavior. However, the call_int_hook()-generated loop in > security_inode_getsecctx() was left treating 0 as the neutral value, so > after an LSM returns 0, the loop continues to try other LSMs, and if one > of them returns a non-zero value, the function immediately returns with > said value. So in a situation where SELinux and the BPF LSMs registered > this hook, -EOPNOTSUPP would be incorrectly returned whenever SELinux > returned 0. > > Fix this by open-coding the call_int_hook() loop and making it use the > correct LSM_RET_DEFAULT() value as the neutral one, similar to what > other hooks do. > > Reported-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > Link: https://lore.kernel.org/selinux/CAEjxPJ4ev-pasUwGx48fDhnmjBnq_Wh90jYPwRQRAqXxmOKD4Q@xxxxxxxxxxxxxx/ > Fixes: b36995b8609a ("lsm: fix default return value for inode_getsecctx") > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > --- > > I ran 'tools/nfs.sh' on the patch and even though it fixes the most > serious issue that Stephen reported, some of the tests are still > failing under NFS (but I will presume that these are pre-existing issues > not caused by the patch). Do you have a list of the failing tests? For me, it was hanging on unix_socket and thus not getting to many of the tests. I would like to triage the still-failing ones to confirm that they are in fact known/expected failures for NFS.
