Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp700606ybv; Thu, 13 Feb 2020 08:01:03 -0800 (PST) X-Google-Smtp-Source: APXvYqy89tlx6rH9uKWhlTgHMAXVu8pl+oqY/mm/NV+6PqJCx/MPLLE1z5y/RSqTV1SeIJI1Xc7k X-Received: by 2002:a9d:811:: with SMTP id 17mr14340930oty.369.1581609663173; Thu, 13 Feb 2020 08:01:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581609663; cv=none; d=google.com; s=arc-20160816; b=fz7Pvuz8V0YEwPBhHQQ9lOBawKYgHPBLuIzXtz4rsyCggn9G4qhlNgbWHAnVJb4NRw lROtZ1XaiDchCgheJ/l5hpRLSSiPFtItKP07s1iNFJcZqzjqUxb/R77njPVmJbE7VtEt 0vy0dbMkCa+YlArh45JMhC+ZN9Xkrz80H06uLix5SArBdY4J2Kh/+1LW7V1g6LYNtjOT SBb4mXcCatDnuY3hlQivIMYBgajjzUVCXuxipuloIujYjboQYmJcU+6Sy/I8Q99Af7vk DIlJcNa4uoQO78ClBxvxcatvsl9+j9Q+6Kvuixkr2lrjvYukXmAZOuJFHCik7j//bzoU M1rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:ironport-phdr :dkim-signature; bh=KIcuSejQnqpI1jbM63RzeE7p+CVUNEGm6AHO7WK6rr4=; b=m+AViDjs6qbTM8BPBCrdyUtBNjpxCx7D4Ue5Yb43eZv2VGFSzj0m8+5eXeCNxfBoEz c4eIVOM61UyCH1DDfPXglxAHV5kM4Ctjp/a/zMBxzF5Vc+KVUb3GLefpIT6mbRkNyz/h c9O4qpJvnyP4MttjPMWWOEPa9LQli/A8JHzZa6he4Y200EIqL/uzVO/d3qPOstnm+n/t KsD+AgYXNj9weYKnbj7Rb01ugpbxRMEkjSgenzkk53XH29eNR6kry1dwJcfY21v02vIn tLfP5V1qKXZyZAvYhuV2zaHwo0DbP+oIvf3jrYoRYXhVpDEXDNFXrcdnFARwtoqyWo+2 KifQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho.nsa.gov header.s=tycho.nsa.gov header.b=lu6hMfTh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=tycho.nsa.gov Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d19si1252707ote.3.2020.02.13.08.00.50; Thu, 13 Feb 2020 08:01:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho.nsa.gov header.s=tycho.nsa.gov header.b=lu6hMfTh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=tycho.nsa.gov Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729380AbgBMQAr (ORCPT + 99 others); Thu, 13 Feb 2020 11:00:47 -0500 Received: from USFB19PA36.eemsg.mail.mil ([214.24.26.199]:49602 "EHLO USFB19PA36.eemsg.mail.mil" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728853AbgBMQAp (ORCPT ); Thu, 13 Feb 2020 11:00:45 -0500 X-EEMSG-check-017: 55804223|USFB19PA36_ESA_OUT06.csd.disa.mil X-IronPort-AV: E=Sophos;i="5.70,437,1574121600"; d="scan'208";a="55804223" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by USFB19PA36.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA256; 13 Feb 2020 16:00:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho.nsa.gov; i=@tycho.nsa.gov; q=dns/txt; s=tycho.nsa.gov; t=1581609637; x=1613145637; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=KIcuSejQnqpI1jbM63RzeE7p+CVUNEGm6AHO7WK6rr4=; b=lu6hMfThc7yL6BWv6oMlFR9fNRZdBCDTOsfa5EkqbasRNX9bgtpP5M97 KDzGo0lK9IjYhaTGpVaPEN+R4hUodJDKB07KgMRylhEiQQvK2KzROKlPN RIsypEhsFdLePA96QgkAB2CYM7hHJ4p3oQEkmShJ8lOhG6NO6jqwNfJSp HFNzB4kmKyZ4nNeKAeXtkE+pdu87BzWqEq4CRIraJi8QIJ4SKHmwqGd2s No/BwGWAliQy+5GYvEZLM/qpUsrhqKiHT82aVWfOvYjzK1rRMPIRfF96+ pf6JoAXhc+TV9eUbtJ0gKRGqs5poOnw+w7RExtl5U+tCEANB1rIcOGdrQ w==; X-IronPort-AV: E=Sophos;i="5.70,437,1574121600"; d="scan'208";a="33030530" IronPort-PHdr: =?us-ascii?q?9a23=3AaSjTkB2aIbMKZLWismDT+DRfVm0co7zxezQtwd?= =?us-ascii?q?8ZsesXK/zxwZ3uMQTl6Ol3ixeRBMOHsq4C1bqd4/mocFdDyKjCmUhKSIZLWR?= =?us-ascii?q?4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBx?= =?us-ascii?q?rwKxd+KPjrFY7OlcS30P2594HObwlSizexfLx/IA+3oAjSucUbgpZuIbstxx?= =?us-ascii?q?XUpXdFZ+tZyWR0KFyJgh3y/N2w/Jlt8yRRv/Iu6ctNWrjkcqo7ULJVEi0oP3?= =?us-ascii?q?g668P3uxbDSxCP5mYHXWUNjhVIGQnF4wrkUZr3ryD3q/By2CiePc3xULA0RT?= =?us-ascii?q?Gv5LplRRP0lCsKMSMy/XrJgcJskq1UvBOhpwR+w4HKZoGVKOF+db7Zcd8DWG?= =?us-ascii?q?ZNQtpdWylHD4yydYsPC/cKM/heoYfzulACqQKyCReoCe/qzDJDm3340rAg0+?= =?us-ascii?q?k5DA/IwgIgEdINvnraotr6O6UdXvy6wqTT0TXObelb1Svh5IXGcB0sp+yHU7?= =?us-ascii?q?JqccrWzEkiDx7LjkmOpoz9PzOayOINuHWG4eplT+2vj2onpB9xozOywcoskZ?= =?us-ascii?q?TGhpkOx1DY9SR23IY1JdqiRE59et6rCoFcty6dN4toW84vRXxjtiUiyrAepJ?= =?us-ascii?q?K2cycHxI4nyhLCcfCLbYeF7gz5WOqMJzpzmWhrd6ilhxmo9Eit0uj8Vs6p31?= =?us-ascii?q?lUtidFidzMtmwV1xzU98iHVuNx/ke/1jaL0ADe8v1ELloularaNp4h2aQ8lp?= =?us-ascii?q?sVsUTNGS/2g1v5g7OMekU4+umn9+TnYrL8qp+aK4B0kR3xPr4rmsy+BeQ0Kg?= =?us-ascii?q?kOX26F9uSgzLDv4EL0TbpQgvA2j6XVqo7WKMsFqqKjHgNZyoMj5Ay+Dzei3t?= =?us-ascii?q?QYh34HLFdddRKckofpIErDIOz4DPijg1Ssly1nx/bdPrL7GJnNIX/DkKn5cb?= =?us-ascii?q?Zn90Fc0BYzzcxY559MBbEBOuz8WkDytNzYFRI5Nw20w+D6CNRy2IMeXn+PAq?= =?us-ascii?q?mEP6zIrV+I5+UvI++WaI8Sojb9JOAv5+Tygn8hhV8dYa6p0IMTaHC5GPRmPk?= =?us-ascii?q?qYbWPvgtgfC2cKuBQxTOjxhV2cXj5ceWyyU7g/5j4lEoKmC5nMRoS3jLyGxi?= =?us-ascii?q?e7EYVcZnpaBVCUDXfoa4KEVu8XaCKOOMBuiTgEWqa6Ro8/2hGhqhX6x6BkLu?= =?us-ascii?q?XK4C0Ys4zs1Nxv6+3UjxEy+iR+D96B3GGVU2F0gmQISic43aB+pUx9zkyO0a?= =?us-ascii?q?tmjPxCE9xc+fdJXh09NZ7GwOxwE8ryVR7ZfteVVFamRc2rASkrQdIsx98DeF?= =?us-ascii?q?59FM+/jhDHxiaqBrgVl7uRBJMq6K7Tw3/xJ8Mug0rBgYY7glZuYdFIPG3jpq?= =?us-ascii?q?dl6w3aAcadnF+UmKWqXaAd2jPd+mCey2aHoEBfVkh3S6qTGTgbZ03LvZH661?= =?us-ascii?q?nEQruGF7sqKE1CxNSEJ68Mbcfm3ntcQ/K2A8jTe2K8nS+LAB+Mwr6dJN7xd3?= =?us-ascii?q?41wDTWCE9ClRsau3mBK15tVW+av2vCAWk2RhrUaET2/Lw78SnqQw=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2DmAABlcUVe/wHyM5BmGwEBAQEBAQEFAQEBEQEBAwMBA?= =?us-ascii?q?QGBe4F9gW0gEiqEFIkDhl8GgTeJcJFKCQEBAQEBAQEBATcEAQGEQAKCcDgTA?= =?us-ascii?q?hABAQEFAQEBAQEFAwEBbIVDgjspAYMBAQEBAQMjFUEQCxUDAgImAgJXBgEMB?= =?us-ascii?q?gIBAYJjP4JXJawZdYEyhUqDToE+gQ4qjD55gQeBOA+CXT6HW4JeBJdFRpdrg?= =?us-ascii?q?kSCT5N8BhybFy2OO50+IoFYKwgCGAghD4MnUBgNjlWOLCMDMI8hAQE?= Received: from tarius.tycho.ncsc.mil (HELO tarius.infosec.tycho.ncsc.mil) ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 13 Feb 2020 16:00:35 +0000 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.infosec.tycho.ncsc.mil (8.14.7/8.14.4) with ESMTP id 01DFxZqs258318; Thu, 13 Feb 2020 10:59:37 -0500 Subject: Re: [PATCH 5.4 85/96] selinux: revert "stop passing MAY_NOT_BLOCK to the AVC upon follow_link" To: Greg Kroah-Hartman , linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, Will Deacon , Paul Moore References: <20200213151839.156309910@linuxfoundation.org> <20200213151911.147099125@linuxfoundation.org> From: Stephen Smalley Message-ID: Date: Thu, 13 Feb 2020 11:01:41 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <20200213151911.147099125@linuxfoundation.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2/13/20 10:21 AM, Greg Kroah-Hartman wrote: > From: Stephen Smalley > > commit 1a37079c236d55fb31ebbf4b59945dab8ec8764c upstream. > > This reverts commit e46e01eebbbc ("selinux: stop passing MAY_NOT_BLOCK > to the AVC upon follow_link"). The correct fix is to instead fall > back to ref-walk if audit is required irrespective of the specific > audit data type. This is done in the next commit. > > Fixes: e46e01eebbbc ("selinux: stop passing MAY_NOT_BLOCK to the AVC upon follow_link") > Reported-by: Will Deacon > Signed-off-by: Stephen Smalley > Signed-off-by: Paul Moore > Signed-off-by: Greg Kroah-Hartman This patch should be accompanied by commit 0188d5c025ca8fe756ba3193bd7d150139af5a88 ("selinux: fall back to ref-walk if audit is required"). The former is reverting an incorrect fix for bda0be7ad994 ("security: make inode_follow_link RCU-walk aware"), the latter is providing the correct fix for it. > > --- > security/selinux/avc.c | 24 ++++++++++++++++++++++-- > security/selinux/hooks.c | 5 +++-- > security/selinux/include/avc.h | 5 +++++ > 3 files changed, 30 insertions(+), 4 deletions(-) [...]