Commit fde46f60 authored Jun 10, 2025 by Stephen Smalley Committed by Paul Moore Jun 19, 2025

selinux: change security_compute_sid to return the ssid or tsid on match



If the end result of a security_compute_sid() computation matches the
ssid or tsid, return that SID rather than looking it up again. This
avoids the problem of multiple initial SIDs that map to the same
context.

Cc: stable@vger.kernel.org
Reported-by: Guido Trentalancia <guido@trentalancia.com>
Fixes: ae254858 ("selinux: introduce an initial SID for early boot processes")
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Tested-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

parent 86c8db86

security/selinux/ss/services.c

+11 −5

Original line number	Diff line number	Diff line
		@@ -1909,12 +1909,18 @@ static int security_compute_sid(u32 ssid,
		goto out_unlock;
		}
		/* Obtain the sid for the context. */
		if (context_equal(scontext, &newcontext))
		*out_sid = ssid;
		else if (context_equal(tcontext, &newcontext))
		*out_sid = tsid;
		else {
		rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid);
		if (rc == -ESTALE) {
		rcu_read_unlock();
		context_destroy(&newcontext);
		goto retry;
		}
		}
		out_unlock:
		rcu_read_unlock();
		context_destroy(&newcontext);