Commit 1e5a8eed authored by David Windsor's avatar David Windsor Committed by Paul Moore
Browse files

selinux: don't reserve xattr slot when we won't fill it 



Move lsm_get_xattr_slot() below the SBLABEL_MNT check so we don't leave
a NULL-named slot in the array when returning -EOPNOTSUPP; filesystem
initxattrs() callbacks stop iterating at the first NULL ->name, silently
dropping xattrs installed by later LSMs.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarDavid Windsor <dwindsor@gmail.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 032e70af

security/selinux/hooks.c

+2 −1
Original line number Diff line number Diff line
@@ -2966,7 +2966,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 
{

	const struct cred_security_struct *crsec = selinux_cred(current_cred());

	struct superblock_security_struct *sbsec;

	struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);

	struct xattr *xattr;

	u32 newsid, clen;

	u16 newsclass;

	int rc;
@@ -2992,6 +2992,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 
	    !(sbsec->flags & SBLABEL_MNT))

		return -EOPNOTSUPP;



	xattr = lsm_get_xattr_slot(xattrs, xattr_count);

	if (xattr) {

		rc = security_sid_to_context_force(newsid,

						   &context, &clen);