+++ /dev/null
-From 6dd1e4c045afa6a4ba5d46f044c83bd357c593c2 Mon Sep 17 00:00:00 2001
-From: Zhen Lei <thunder.leizhen@huawei.com>
-Date: Wed, 7 Aug 2024 17:00:56 +0800
-Subject: selinux: add the processing of the failure of avc_add_xperms_decision()
-
-From: Zhen Lei <thunder.leizhen@huawei.com>
-
-commit 6dd1e4c045afa6a4ba5d46f044c83bd357c593c2 upstream.
-
-When avc_add_xperms_decision() fails, the information recorded by the new
-avc node is incomplete. In this case, the new avc node should be released
-instead of replacing the old avc node.
-
-Cc: stable@vger.kernel.org
-Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls")
-Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
-Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- security/selinux/avc.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/security/selinux/avc.c
-+++ b/security/selinux/avc.c
-@@ -925,7 +925,11 @@ static int avc_update_node(struct selinu
- node->ae.avd.auditdeny &= ~perms;
- break;
- case AVC_CALLBACK_ADD_XPERMS:
-- avc_add_xperms_decision(node, xpd);
-+ rc = avc_add_xperms_decision(node, xpd);
-+ if (rc) {
-+ avc_node_kill(node);
-+ goto out_unlock;
-+ }
- break;
- }
- avc_node_replace(avc, node, orig);
bitmap-introduce-generic-optimized-bitmap_size.patch
fix-bitmap-corruption-on-close_range-with-close_range_unshare.patch
selinux-fix-potential-counting-error-in-avc_add_xperms_decision.patch
-selinux-add-the-processing-of-the-failure-of-avc_add_xperms_decision.patch
drm-amdgpu-actually-check-flags-for-all-context-ops.patch
memcg_write_event_control-fix-a-user-triggerable-oops.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
