From 814aeafa9464ec8901896817ab9c88d6002149b5 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 9 Apr 2014 10:15:24 -0700
Subject: [PATCH] 3.4-stable patches

added patches:
	selinux-correctly-label-proc-inodes-in-use-before-the-policy-is-loaded.patch
---
 ...s-in-use-before-the-policy-is-loaded.patch | 106 ++++++++++++++++++
 queue-3.4/series                              |   1 +
 2 files changed, 107 insertions(+)
 create mode 100644 queue-3.4/selinux-correctly-label-proc-inodes-in-use-before-the-policy-is-loaded.patch

diff --git a/queue-3.4/selinux-correctly-label-proc-inodes-in-use-before-the-policy-is-loaded.patch b/queue-3.4/selinux-correctly-label-proc-inodes-in-use-before-the-policy-is-loaded.patch
new file mode 100644
index 00000000000..c5cb2e14877
--- /dev/null
+++ b/queue-3.4/selinux-correctly-label-proc-inodes-in-use-before-the-policy-is-loaded.patch
@@ -0,0 +1,106 @@
+From f64410ec665479d7b4b77b7519e814253ed0f686 Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore@redhat.com>
+Date: Wed, 19 Mar 2014 16:46:18 -0400
+Subject: selinux: correctly label /proc inodes in use before the policy is loaded
+
+From: Paul Moore <pmoore@redhat.com>
+
+commit f64410ec665479d7b4b77b7519e814253ed0f686 upstream.
+
+This patch is based on an earlier patch by Eric Paris, he describes
+the problem below:
+
+  "If an inode is accessed before policy load it will get placed on a
+   list of inodes to be initialized after policy load.  After policy
+   load we call inode_doinit() which calls inode_doinit_with_dentry()
+   on all inodes accessed before policy load.  In the case of inodes
+   in procfs that means we'll end up at the bottom where it does:
+
+     /* Default to the fs superblock SID. */
+     isec->sid = sbsec->sid;
+
+     if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
+             if (opt_dentry) {
+                     isec->sclass = inode_mode_to_security_class(...)
+                     rc = selinux_proc_get_sid(opt_dentry,
+                                               isec->sclass,
+                                               &sid);
+                     if (rc)
+                             goto out_unlock;
+                     isec->sid = sid;
+             }
+     }
+
+   Since opt_dentry is null, we'll never call selinux_proc_get_sid()
+   and will leave the inode labeled with the label on the superblock.
+   I believe a fix would be to mimic the behavior of xattrs.  Look
+   for an alias of the inode.  If it can't be found, just leave the
+   inode uninitialized (and pick it up later) if it can be found, we
+   should be able to call selinux_proc_get_sid() ..."
+
+On a system exhibiting this problem, you will notice a lot of files in
+/proc with the generic "proc_t" type (at least the ones that were
+accessed early in the boot), for example:
+
+   # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
+   system_u:object_r:proc_t:s0 /proc/sys/kernel/shmmax
+
+However, with this patch in place we see the expected result:
+
+   # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
+   system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/shmmax
+
+Cc: Eric Paris <eparis@redhat.com>
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Acked-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/hooks.c |   36 +++++++++++++++++++++++++++---------
+ 1 file changed, 27 insertions(+), 9 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -1329,15 +1329,33 @@ static int inode_doinit_with_dentry(stru
+ 		isec->sid = sbsec->sid;
+ 
+ 		if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
+-			if (opt_dentry) {
+-				isec->sclass = inode_mode_to_security_class(inode->i_mode);
+-				rc = selinux_proc_get_sid(opt_dentry,
+-							  isec->sclass,
+-							  &sid);
+-				if (rc)
+-					goto out_unlock;
+-				isec->sid = sid;
+-			}
++			/* We must have a dentry to determine the label on
++			 * procfs inodes */
++			if (opt_dentry)
++				/* Called from d_instantiate or
++				 * d_splice_alias. */
++				dentry = dget(opt_dentry);
++			else
++				/* Called from selinux_complete_init, try to
++				 * find a dentry. */
++				dentry = d_find_alias(inode);
++			/*
++			 * This can be hit on boot when a file is accessed
++			 * before the policy is loaded.  When we load policy we
++			 * may find inodes that have no dentry on the
++			 * sbsec->isec_head list.  No reason to complain as
++			 * these will get fixed up the next time we go through
++			 * inode_doinit() with a dentry, before these inodes
++			 * could be used again by userspace.
++			 */
++			if (!dentry)
++				goto out_unlock;
++			isec->sclass = inode_mode_to_security_class(inode->i_mode);
++			rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
++			dput(dentry);
++			if (rc)
++				goto out_unlock;
++			isec->sid = sid;
+ 		}
+ 		break;
+ 	}
diff --git a/queue-3.4/series b/queue-3.4/series
index 0148a50cc4e..421a2fa11de 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -10,3 +10,4 @@ idr-idr_for_each_entry-macro.patch
 pps-add-pps_lookup_dev-function.patch
 pps-use-pps_lookup_dev-to-reduce-ldisc-coupling.patch
 pps-fix-a-use-after-free-bug-when-unregistering-a-source.patch
+selinux-correctly-label-proc-inodes-in-use-before-the-policy-is-loaded.patch
-- 
2.47.3