Merge tag 'selinux-pr-20240312' of git://git.kernel.org/pub/scm/linux/kernel/git...

[sfrench/cifs-2.6.git] / security / selinux / hooks.c

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7da35f51a0ef190da9f4f471fc4eaf824bc7337c..860e558e9fd5aac4ce29792412cbd91bf9000f05 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2920,23 +2920,22 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
        struct superblock_security_struct *sbsec;
        struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
        u32 newsid, clen;
+       u16 newsclass;
        int rc;
        char *context;
 
        sbsec = selinux_superblock(dir->i_sb);
 
        newsid = tsec->create_sid;
-
-       rc = selinux_determine_inode_label(tsec, dir, qstr,
-               inode_mode_to_security_class(inode->i_mode),
-               &newsid);
+       newsclass = inode_mode_to_security_class(inode->i_mode);
+       rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid);
        if (rc)
                return rc;
 
        /* Possibly defer initialization to selinux_complete_init. */
        if (sbsec->flags & SE_SBINITIALIZED) {
                struct inode_security_struct *isec = selinux_inode(inode);
-               isec->sclass = inode_mode_to_security_class(inode->i_mode);
+               isec->sclass = newsclass;
                isec->sid = newsid;
                isec->initialized = LABEL_INITIALIZED;
        }
@@ -3534,9 +3533,10 @@ static int selinux_inode_copy_up_xattr(const char *name)
 {
        /* The copy_up hook above sets the initial context on an inode, but we
         * don't then want to overwrite it by blindly copying all the lower
-        * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
+        * xattrs up.  Instead, filter out SELinux-related xattrs following
+        * policy load.
         */
-       if (strcmp(name, XATTR_NAME_SELINUX) == 0)
+       if (selinux_initialized() && strcmp(name, XATTR_NAME_SELINUX) == 0)
                return 1; /* Discard */
        /*
         * Any other attribute apart from SELINUX is not claimed, supported
@@ -5194,11 +5194,11 @@ out_len:
        return err;
 }
 
-static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+static int selinux_socket_getpeersec_dgram(struct socket *sock,
+                                          struct sk_buff *skb, u32 *secid)
 {
        u32 peer_secid = SECSID_NULL;
        u16 family;
-       struct inode_security_struct *isec;
 
        if (skb && skb->protocol == htons(ETH_P_IP))
                family = PF_INET;
@@ -5206,19 +5206,21 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
                family = PF_INET6;
        else if (sock)
                family = sock->sk->sk_family;
-       else
-               goto out;
+       else {
+               *secid = SECSID_NULL;
+               return -EINVAL;
+       }
 
        if (sock && family == PF_UNIX) {
+               struct inode_security_struct *isec;
                isec = inode_security_novalidate(SOCK_INODE(sock));
                peer_secid = isec->sid;
        } else if (skb)
                selinux_skb_peerlbl_sid(skb, family, &peer_secid);
 
-out:
        *secid = peer_secid;
        if (peer_secid == SECSID_NULL)
-               return -EINVAL;
+               return -ENOPROTOOPT;
        return 0;
 }