Re: [RFC PATCH 44/44] selinux: fix inode initialization when no namespace is initialized

Stephen Smalley <stephen.smalley.work@xxxxxxxxx> · Tue, 7 Jan 2025 13:31:29 -0500

On Thu, Jan 2, 2025 at 11:46 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> commit e8087cb36d3d2c6eab77 ("selinux: init inode from nearest
> initialized namespace") wrongly assumed that there must be at least one
> ancestor namespace that is initialized. In the case where the init
> SELinux namespace was never initialized (i.e. no policy loaded on the
> host), then this assumption can be false. Fix the logic to defer
> initialization of the inode in that situation.
>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>

Note: I've squashed this patch, the cited commit, and its predecessor
since neither of these have been merged yet and they are bug fixes to
the earlier unmerged commit.
Updated on my branch,
https://github.com/stephensmalley/selinux-kernel/tree/working-selinuxns

> ---
>  security/selinux/hooks.c | 15 +++++++--------
>  1 file changed, 7 insertions(+), 8 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index a6c980f9117b..da8f76707c8c 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1441,8 +1441,14 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
>         if (isec->sclass == SECCLASS_FILE)
>                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
>
> +       /*
> +        * Find an initialized state to use.
> +        */
> +       while (state && !selinux_initialized(state))
> +               state = state->parent;
> +
>         sbsec = selinux_superblock(inode->i_sb);
> -       if (!(sbsec->flags & SE_SBINITIALIZED)) {
> +       if (!state || !(sbsec->flags & SE_SBINITIALIZED)) {
>                 /* Defer initialization until selinux_complete_init,
>                    after the initial policy is loaded and the security
>                    server is ready to handle calls. */
> @@ -1453,13 +1459,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
>                 goto out_unlock;
>         }
>
> -       /*
> -        * Find an initialized state to use; there must be at least
> -        * one or else the sbsec won't have been initialized.
> -        */
> -       while (!selinux_initialized(state))
> -               state = state->parent;
> -
>         sclass = isec->sclass;
>         task_sid = isec->task_sid;
>         sid = isec->sid;
> --
> 2.47.1
>