commit 2c97165befb487c0dc8b25d39f457d0d91d22a6f
author Paul Moore <paul@paul-moore.com> Tue Apr 19 16:36:28 2016 -0400
committer Paul Moore <paul@paul-moore.com> Tue Apr 19 16:36:28 2016 -0400
tree 86eacae3ab34a8f15d3d1eae178da47c245d4b6c
parent 0fd71a620be8648486a126fccadf9f7c2a818676

selinux: don't revalidate an inode's label when explicitly setting it

There is no point in attempting to revalidate an inode's security
label when we are in the process of setting it.

Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>

security/selinux/hooks.c

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index fce7dc8..f8ecc0a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -297,6 +297,13 @@
 	return inode->i_security;
 }
 
+static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
+{
+	struct inode *inode = d_backing_inode(dentry);
+
+	return inode->i_security;
+}
+
 /*
  * Get the security label of a dentry's backing inode.
  */
@@ -686,7 +693,7 @@
 	struct superblock_security_struct *sbsec = sb->s_security;
 	const char *name = sb->s_type->name;
 	struct dentry *root = sbsec->sb->s_root;
-	struct inode_security_struct *root_isec = backing_inode_security(root);
+	struct inode_security_struct *root_isec;
 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
 	u32 defcontext_sid = 0;
 	char **mount_options = opts->mnt_opts;
@@ -729,6 +736,8 @@
 	    && (num_opts == 0))
 		goto out;
 
+	root_isec = backing_inode_security_novalidate(root);
+
 	/*
 	 * parse the mount options, check if they are valid sids.
 	 * also check if someone is trying to mount the same sb more
@@ -3222,7 +3231,7 @@
 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
 				     const void *value, size_t size, int flags)
 {
-	struct inode_security_struct *isec = inode_security(inode);
+	struct inode_security_struct *isec = inode_security_novalidate(inode);
 	u32 newsid;
 	int rc;