This is a note to let you know that I've just added the patch titled
selinux: fix inconsistency between inode_getxattr and inode_listsecurity
to the 5.11-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
selinux-fix-inconsistency-between-inode_getxattr-and-inode_listsecurity.patch
and it can be found in the queue-5.11 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From a9ffe682c58aaff643764547f5420e978b6e0830 Mon Sep 17 00:00:00 2001
From: Amir Goldstein <amir73il@xxxxxxxxx>
Date: Sat, 19 Dec 2020 12:05:27 +0200
Subject: selinux: fix inconsistency between inode_getxattr and inode_listsecurity
From: Amir Goldstein <amir73il@xxxxxxxxx>
commit a9ffe682c58aaff643764547f5420e978b6e0830 upstream.
When inode has no listxattr op of its own (e.g. squashfs) vfs_listxattr
calls the LSM inode_listsecurity hooks to list the xattrs that LSMs will
intercept in inode_getxattr hooks.
When selinux LSM is installed but not initialized, it will list the
security.selinux xattr in inode_listsecurity, but will not intercept it
in inode_getxattr. This results in -ENODATA for a getxattr call for an
xattr returned by listxattr.
This situation was manifested as overlayfs failure to copy up lower
files from squashfs when selinux is built-in but not initialized,
because ovl_copy_xattr() iterates the lower inode xattrs by
vfs_listxattr() and vfs_getxattr().
Match the logic of inode_listsecurity to that of inode_getxattr and
do not list the security.selinux xattr if selinux is not initialized.
Reported-by: Michael Labriola <michael.d.labriola@xxxxxxxxx>
Tested-by: Michael Labriola <michael.d.labriola@xxxxxxxxx>
Link: https://lore.kernel.org/linux-unionfs/2nv9d47zt7.fsf@xxxxxxxxxxxxxxxxxxxxxxxxx/
Fixes: c8e222616c7e ("selinux: allow reading labels before policy is loaded")
Cc: stable@xxxxxxxxxxxxxxx#v5.9+
Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx>
Reviewed-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
security/selinux/hooks.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3413,6 +3413,10 @@ static int selinux_inode_setsecurity(str
static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
{
const int len = sizeof(XATTR_NAME_SELINUX);
+
+ if (!selinux_initialized(&selinux_state))
+ return 0;
+
if (buffer && len <= buffer_size)
memcpy(buffer, XATTR_NAME_SELINUX, len);
return len;
Patches currently in stable-queue which might be from amir73il@xxxxxxxxx are
queue-5.11/selinux-fix-inconsistency-between-inode_getxattr-and-inode_listsecurity.patch
