Now that O_PATH fds are being passed to the file_open hook, unconditionally skip mediation of them to preserve existing behavior. Signed-off-by: Ryan Lee <ryan.lee@xxxxxxxxxxxxx> --- security/selinux/hooks.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 07f71e6c2660..886ee9381507 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4009,6 +4009,11 @@ static int selinux_file_open(struct file *file) */ fsec->isid = isec->sid; fsec->pseqno = avc_policy_seqno(); + + /* Preserve the behavior of O_PATH fd creation not being mediated */ + if (file->f_flags & O_PATH) + return 0; + /* * Since the inode label or policy seqno may have changed * between the selinux_inode_permission check and the saving -- 2.43.0 base-kernel: v6.14-rc6
