selinux: change security_compute_sid to return the ssid or tsid on match

[ Upstream commit fde46f60f6c5138ee422087addbc5bf5b4968bf1 ]

If the end result of a security_compute_sid() computation matches the
ssid or tsid, return that SID rather than looking it up again. This
avoids the problem of multiple initial SIDs that map to the same
context.

Cc: stable@vger.kernel.org
Reported-by: Guido Trentalancia <guido@trentalancia.com>
Fixes: ae254858ce07 ("selinux: introduce an initial SID for early boot processes")
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Tested-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 88850405ded9295da5112ec6d83bd4290d4498a0..f36332e64c4d1a123fa999444617c6bbfa25e329 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1884,11 +1884,17 @@ retry:
                        goto out_unlock;
        }
        /* Obtain the sid for the context. */
-       rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid);
-       if (rc == -ESTALE) {
-               rcu_read_unlock();
-               context_destroy(&newcontext);
-               goto retry;
+       if (context_cmp(scontext, &newcontext))
+               *out_sid = ssid;
+       else if (context_cmp(tcontext, &newcontext))
+               *out_sid = tsid;
+       else {
+               rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid);
+               if (rc == -ESTALE) {
+                       rcu_read_unlock();
+                       context_destroy(&newcontext);
+                       goto retry;
+               }
        }
 out_unlock:
        rcu_read_unlock();