selinux: don't reserve xattr slot when we won't fill it

Move lsm_get_xattr_slot() below the SBLABEL_MNT check so we don't leave
a NULL-named slot in the array when returning -EOPNOTSUPP; filesystem
initxattrs() callbacks stop iterating at the first NULL ->name, silently
dropping xattrs installed by later LSMs.

Cc: stable@vger.kernel.org
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 49c482e3fa3f9dcab4d43261a07290797c9ab7ec..59942d39ada7f40e651338f8c29b40d6181b8a14 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2966,7 +2966,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
 {
        const struct cred_security_struct *crsec = selinux_cred(current_cred());
        struct superblock_security_struct *sbsec;
-       struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
+       struct xattr *xattr;
        u32 newsid, clen;
        u16 newsclass;
        int rc;
@@ -2992,6 +2992,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
            !(sbsec->flags & SBLABEL_MNT))
                return -EOPNOTSUPP;
 
+       xattr = lsm_get_xattr_slot(xattrs, xattr_count);
        if (xattr) {
                rc = security_sid_to_context_force(newsid,
                                                   &context, &clen);