Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp629429img; Fri, 22 Mar 2019 05:30:00 -0700 (PDT) X-Google-Smtp-Source: APXvYqyc/KMLAtkG7pJfcEeg/j627OYwSR+VWLs9DDAJvQuOinfWlm0otK5bvlU9rW2kCqHl/jVZ X-Received: by 2002:a65:610d:: with SMTP id z13mr8844015pgu.104.1553257800045; Fri, 22 Mar 2019 05:30:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553257800; cv=none; d=google.com; s=arc-20160816; b=FyWlJWw21qqqrBqcqShV1OCpHDK6RoE8cTySR30l4pcV6iDqhgZe/oHhTT7DkumEUP PC9lUzbT4BITKF6IdgRrmc+CNttyE//sqP9qR002nFjRfhMiA//pTx2DabzNNDF7xkdy fpr26irLT84nSKZ29LvIbgReMdY5L601CHK0U49lxfUeM9SleQHcH3Iw7DDkHZ84bd+N t/hJ+2s69eRD+9N8pDZhFsyqywIQjZ1fyE1umNbZBotaGm+Tf7CGGSzpotKbRDmsy3GH gfXKNE9Mrys7Ob0Xhs6aelYVJ1HnrRpmHgFJ0vgE02bNpNRki866SHZ9AhgD10Umzaym mWew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2NvOG3QCWV1fkGDg3+uMWSC1+d/FmUQeWRht6p17rcw=; b=tfVRKH37X26OBv8ktImiogkDywyraE9AsX7v5mBWSH1o+7Y4BWUvzvLkHCY12x/WGn 4rBfbF2lt2h+6cNg9effJg0jGDeS6FJh7P8E1Jdro/GJJlG9q4lOwFlv3kYTPEM8zrgt KpBXtDbR/iNkXdClNpPvDjhPSWFjTKZz+ibXbf1ktu+2PQkbk9+on1DfcYS+h8sHJuPQ 4WlXusJeuvdPNwyy7EMXjAZBDnbENZTQFzVhPqXZJOXAiyqKM4H+HJn3mJVfoUj/megd 0X7SmwIFh9Bdw3iIvqXpl6wGeJDhg7MQ+HkjMHdQJ94GihVKaJQ3KayumJhe6I6YS0SI l//A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RAe0Jyoz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g186si6734537pfc.58.2019.03.22.05.29.42; Fri, 22 Mar 2019 05:30:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RAe0Jyoz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390652AbfCVMTn (ORCPT + 99 others); Fri, 22 Mar 2019 08:19:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:58680 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390642AbfCVMTj (ORCPT ); Fri, 22 Mar 2019 08:19:39 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CF4B32082C; Fri, 22 Mar 2019 12:19:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553257179; bh=f6MNwqqsvFWkwlw19tmD6cAon5HftrQYIF3CUYoejPE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RAe0JyozQjfLDo/Cy99uqgWu46ALeH/QXQJVKvv9Gu5GKT/VxGpn39xw91ivp7bNL T1oByE06/lvWz+MMTeaAhd5VS4WxSfiCrcEH3NHE80gYQkCH0IztPijeWF/ae3VtxY jsdpGp3wKy7npsLBwp+G3pkZs71jh2YFZkrIuBqg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Scott Mayhew , "J. Bruce Fields" , Stephen Smalley , Paul Moore Subject: [PATCH 5.0 155/238] security/selinux: fix SECURITY_LSM_NATIVE_LABELS on reused superblock Date: Fri, 22 Mar 2019 12:16:14 +0100 Message-Id: <20190322111307.469507918@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190322111258.383569278@linuxfoundation.org> References: <20190322111258.383569278@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 5.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: J. Bruce Fields commit 3815a245b50124f0865415dcb606a034e97494d4 upstream. In the case when we're reusing a superblock, selinux_sb_clone_mnt_opts() fails to set set_kern_flags, with the result that nfs_clone_sb_security() incorrectly clears NFS_CAP_SECURITY_LABEL. The result is that if you mount the same NFS filesystem twice, NFS security labels are turned off, even if they would work fine if you mounted the filesystem only once. ("fixes" may be not exactly the right tag, it may be more like "fixed-other-cases-but-missed-this-one".) Cc: Scott Mayhew Cc: stable@vger.kernel.org Fixes: 0b4d3452b8b4 "security/selinux: allow security_sb_clone_mnt_opts..." Signed-off-by: J. Bruce Fields Acked-by: Stephen Smalley Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman --- security/selinux/hooks.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -959,8 +959,11 @@ static int selinux_sb_clone_mnt_opts(con BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); /* if fs is reusing a sb, make sure that the contexts match */ - if (newsbsec->flags & SE_SBINITIALIZED) + if (newsbsec->flags & SE_SBINITIALIZED) { + if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) + *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; return selinux_cmp_sb_context(oldsb, newsb); + } mutex_lock(&newsbsec->lock);