[thirdparty/kernel/stable-queue.git] / releases / 2.6.24.1 / selinux-fix-labeling-of-proc-net-inodes.patch

From b1aa5301b9f88a4891061650c591fb8fe1c1d1da Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 25 Jan 2008 13:03:42 -0500
Subject: selinux: fix labeling of /proc/net inodes
Message-ID: <Xine.LNX.4.64.0801261602360.32278@us.intercode.com.au>

From: Stephen Smalley <sds@tycho.nsa.gov>

patch b1aa5301b9f88a4891061650c591fb8fe1c1d1da in mainline.

The proc net rewrite had a side effect on selinux, leading it to mislabel
the /proc/net inodes, thereby leading to incorrect denials.  Fix
security_genfs_sid to ignore extra leading / characters in the path supplied
by selinux_proc_get_sid since we now get "//net/..." rather than "/net/...".

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 security/selinux/ss/services.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1744,6 +1744,9 @@ int security_genfs_sid(const char *fstyp
 	struct ocontext *c;
 	int rc = 0, cmp = 0;
 
+	while (path[0] == '/' && path[1] == '/')
+		path++;
+
 	POLICY_RDLOCK;
 
 	for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
Commit	Line	Data
becca5a3 GKH	1	From b1aa5301b9f88a4891061650c591fb8fe1c1d1da Mon Sep 17 00:00:00 2001
	2	From: Stephen Smalley <sds@tycho.nsa.gov>
	3	Date: Fri, 25 Jan 2008 13:03:42 -0500
	4	Subject: selinux: fix labeling of /proc/net inodes
	5	Message-ID: <Xine.LNX.4.64.0801261602360.32278@us.intercode.com.au>
	6
7ab8ec81 GKH	7	From: Stephen Smalley <sds@tycho.nsa.gov>
7ab8ec81 GKH	8
becca5a3 GKH	9	patch b1aa5301b9f88a4891061650c591fb8fe1c1d1da in mainline.
	10
	11	The proc net rewrite had a side effect on selinux, leading it to mislabel
	12	the /proc/net inodes, thereby leading to incorrect denials. Fix
	13	security_genfs_sid to ignore extra leading / characters in the path supplied
	14	by selinux_proc_get_sid since we now get "//net/..." rather than "/net/...".
	15
	16	Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
	17	Signed-off-by: James Morris <jmorris@namei.org>
	18	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	19
	20	---
	21	security/selinux/ss/services.c \| 3 +++
	22	1 file changed, 3 insertions(+)
	23
	24	--- a/security/selinux/ss/services.c
	25	+++ b/security/selinux/ss/services.c
	26	@@ -1744,6 +1744,9 @@ int security_genfs_sid(const char *fstyp
	27	struct ocontext *c;
	28	int rc = 0, cmp = 0;
	29
	30	+ while (path[0] == '/' && path[1] == '/')
	31	+ path++;
	32	+
	33	POLICY_RDLOCK;
	34
	35	for (genfs = policydb.genfs; genfs; genfs = genfs->next) {