Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3421727pxf; Mon, 29 Mar 2021 01:35:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz/vD14/OyIkZBxevm/kaahvxcBVLDmOIhK9tv2Raeuych51rKChV3D97ABLpDQ7vAH5pyz X-Received: by 2002:a17:906:ad85:: with SMTP id la5mr27200094ejb.37.1617006920436; Mon, 29 Mar 2021 01:35:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617006920; cv=none; d=google.com; s=arc-20160816; b=mVo9cx6fn3sXFUna5poGAtpIjbWaxc41/rfDtLWnxTjhzMJyARwvv0NwPgstv3qBVF NQ819mcl1MQxHU5KtS2+fnBp41jf8nFIOL7zF5xFHETxGDZUjTfQiG0+FzXqG2WYQMt9 hcmRjJAmv/Mx4E6pJAXqCDF6h6wlSAQwDCfwLKFXt3B/qE5QMOFTOofcJp1TXSZyx0nJ 0LlPF6WHndJFOQtxNP6T/kRj8Ywt+uTVkw+uuyrDFx3MTgPg3rWM7CBSNcOwRU/4r43Q bHB8OxU0HaDqTzgihwpq4x42RRy5FkhvPdFsacTVivw9xH/Yx4R+OOS185MLwAzkj0EK qIUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=XZefZ0Zak8qXpbuHoLqOX1kZFIZUHWaDdrpUPV6BUAY=; b=oh1rYRFvtGx1yMIa77FuvY17pyPyiEk/JjfSAYPiFN266I5fabLbHbNIKBGTUAi0b9 2v2A1okOFQrvWOtufOgtpoxI7EsKsj1+BIOXJD0JxI1mgfBinUlWeqQPJx3M6dhZE4oh QsMEe/PwLf4aoJxN31THBiCFTvaL/sAnlU98vTymEP9L8hBO2jmmzsRa+4A0yvcS+9Uz MRX2VsBCKQAXqsQ4db3GphYripgLxrqp0R9qRwJ/71RX6AC11/faBc0OYZwyBiOfZows F81R94ZF/xOtyeY78SyxnGpanaYJNl0ADOIuOrPvuvi5R5iFwdKOumtQieV/Ju0EyHuP QYzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="bw/sh0sm"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w2si12923698edc.92.2021.03.29.01.34.58; Mon, 29 Mar 2021 01:35:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="bw/sh0sm"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233301AbhC2Ias (ORCPT + 99 others); Mon, 29 Mar 2021 04:30:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:35278 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232947AbhC2ITa (ORCPT ); Mon, 29 Mar 2021 04:19:30 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D56B1619CF; Mon, 29 Mar 2021 08:19:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617005970; bh=zw6S8tYGfZUBG887EXZd/vUxE9n2eI80yfCF6RuGaLg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bw/sh0smtm/+JlsQVdE8B6d4D9+3g5BlumCOeD/5sn75ZgOZrFkyv0Ogw8lytI9Jv YjAsVZAC2zkUAlX4SmK2dQJwvYY/X+cKF5KcIMQkFwiMgcfdwQ8kE7PxbjhkSsHy7+ fKinmbvl8VBJVPoBLiwrRP7aa3FiiTFbAGaheMxw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ondrej Mosnacek , Paul Moore Subject: [PATCH 5.10 063/221] selinux: dont log MAC_POLICY_LOAD record on failed policy load Date: Mon, 29 Mar 2021 09:56:34 +0200 Message-Id: <20210329075631.295856056@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210329075629.172032742@linuxfoundation.org> References: <20210329075629.172032742@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ondrej Mosnacek commit 519dad3bcd809dc1523bf80ab0310ddb3bf00ade upstream. If sel_make_policy_nodes() fails, we should jump to 'out', not 'out1', as the latter would incorrectly log an MAC_POLICY_LOAD audit record, even though the policy hasn't actually been reloaded. The 'out1' jump label now becomes unused and can be removed. Fixes: 02a52c5c8c3b ("selinux: move policy commit after updating selinuxfs") Cc: stable@vger.kernel.org Signed-off-by: Ondrej Mosnacek Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman --- security/selinux/selinuxfs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -651,14 +651,13 @@ static ssize_t sel_write_load(struct fil length = sel_make_policy_nodes(fsi, newpolicy); if (length) { selinux_policy_cancel(fsi->state, newpolicy); - goto out1; + goto out; } selinux_policy_commit(fsi->state, newpolicy); length = count; -out1: audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, "auid=%u ses=%u lsm=selinux res=1", from_kuid(&init_user_ns, audit_get_loginuid(current)),