Merge tag 'selinux-pr-20191126' of git://git.kernel.org/pub/scm/linux/kernel/git...

[sfrench/cifs-2.6.git] / security / selinux / hooks.c

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 73986c1101b96dc0f382d01e7475a4df4f3216bc..5d557318f79b053fb4b22a895179e96f9c78bc55 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3144,6 +3144,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
                return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
        }
 
+       if (!selinux_state.initialized)
+               return (inode_owner_or_capable(inode) ? 0 : -EPERM);
+
        sbsec = inode->i_sb->s_security;
        if (!(sbsec->flags & SBLABEL_MNT))
                return -EOPNOTSUPP;
@@ -3227,6 +3230,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
                return;
        }
 
+       if (!selinux_state.initialized) {
+               /* If we haven't even been initialized, then we can't validate
+                * against a policy, so leave the label as invalid. It may
+                * resolve to a valid label on the next revalidation try if
+                * we've since initialized.
+                */
+               return;
+       }
+
        rc = security_context_to_sid_force(&selinux_state, value, size,
                                           &newsid);
        if (rc) {