selinux: change security_compute_sid to return the ssid or tsid on match

If the end result of a security_compute_sid() computation matches the
ssid or tsid, return that SID rather than looking it up again. This
avoids the problem of multiple initial SIDs that map to the same
context.

Cc: stable@vger.kernel.org
Reported-by: Guido Trentalancia <guido@trentalancia.com>
Fixes: ae254858ce07 ("selinux: introduce an initial SID for early boot processes")
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Tested-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 7becf3808818a612434cdc5c2214ff92896a4579..d185754c278627152a65b76ffe17c25f062b817a 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1909,11 +1909,17 @@ retry:
                        goto out_unlock;
        }
        /* Obtain the sid for the context. */
-       rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid);
-       if (rc == -ESTALE) {
-               rcu_read_unlock();
-               context_destroy(&newcontext);
-               goto retry;
+       if (context_equal(scontext, &newcontext))
+               *out_sid = ssid;
+       else if (context_equal(tcontext, &newcontext))
+               *out_sid = tsid;
+       else {
+               rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid);
+               if (rc == -ESTALE) {
+                       rcu_read_unlock();
+                       context_destroy(&newcontext);
+                       goto retry;
+               }
        }
 out_unlock:
        rcu_read_unlock();