From: Casey Schaufler <casey@schaufler-ca.com>
To: Greg KH <gregkh@suse.de>
Cc: linux-kernel@vger.kernel.org, stable@kernel.org,
stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Josef Bacik <josef@redhat.com>, Al Viro <viro@zeniv.linux.org.uk>,
Chuck Ebbert <cebbert@redhat.com>
Subject: Re: [34/35] fs: call security_d_instantiate in d_obtain_alias V2
Date: Fri, 25 Mar 2011 17:24:56 -0700 [thread overview]
Message-ID: <4D8D3258.5090804@schaufler-ca.com> (raw)
In-Reply-To: <20110326000459.388812559@clark.kroah.org>
On 3/25/2011 5:04 PM, Greg KH wrote:
> 2.6.33-longterm review patch. If anyone has any objections, please let us know.
>
> ------------------
>
> From: Josef Bacik <josef@redhat.com>
>
> commit 24ff6663ccfdaf088dfa7acae489cb11ed4f43c4 upstream.
>
> While trying to track down some NFS problems with BTRFS, I kept noticing I was
> getting -EACCESS for no apparent reason. Eric Paris and printk() helped me
> figure out that it was SELinux that was giving me grief, with the following
> denial
>
> type=AVC msg=audit(1290013638.413:95): avc: denied { 0x800000 } for pid=1772
> comm="nfsd" name="" dev=sda1 ino=256 scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
>
> Turns out this is because in d_obtain_alias if we can't find an alias we create
> one and do all the normal instantiation stuff, but we don't do the
> security_d_instantiate.
>
> Usually we are protected from getting a hashed dentry that hasn't yet run
> security_d_instantiate() by the parent's i_mutex, but obviously this isn't an
> option there, so in order to deal with the case that a second thread comes in
> and finds our new dentry before we get to run security_d_instantiate(), we go
> ahead and call it if we find a dentry already. Eric assures me that this is ok
> as the code checks to see if the dentry has been initialized already so calling
> security_d_instantiate() against the same dentry multiple times is ok. With
> this patch I'm no longer getting errant -EACCESS values.
Not to be a bother, but did you try this with Smack as well as SELinux?
Smack should be fine with the change, but if you're not going to try
Smack I need to know.
> Signed-off-by: Josef Bacik <josef@redhat.com>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Chuck Ebbert <cebbert@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
>
> ---
> fs/dcache.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> --- a/fs/dcache.c
> +++ b/fs/dcache.c
> @@ -1176,9 +1176,12 @@ struct dentry *d_obtain_alias(struct ino
> spin_unlock(&tmp->d_lock);
>
> spin_unlock(&dcache_lock);
> + security_d_instantiate(tmp, inode);
> return tmp;
>
> out_iput:
> + if (res && !IS_ERR(res))
> + security_d_instantiate(res, inode);
> iput(inode);
> return res;
> }
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
>
next prev parent reply other threads:[~2011-03-26 0:25 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-26 0:05 [00/35] 2.6.33.9-longterm review Greg KH
2011-03-26 0:03 ` [01/35] smp_call_function_many: handle concurrent clearing of mask Greg KH
2011-03-26 0:03 ` [02/35] [PARISC] fix per-cpu flag problem in the cpu affinity checkers Greg KH
2011-03-26 0:03 ` [03/35] i2c: Fix typo in instantiating-devices document Greg KH
2011-03-26 0:03 ` [04/35] mmc: sdio: remember new card RCA when redetecting card Greg KH
2011-03-26 0:03 ` [05/35] powerpc/kdump: Fix race in kdump shutdown Greg KH
2011-03-30 23:27 ` Paul Gortmaker
2011-04-11 22:57 ` [stable] " Greg KH
2011-03-26 0:03 ` [06/35] powerpc: rtas_flash needs to use rtas_data_buf Greg KH
2011-03-26 0:03 ` [07/35] x86, binutils, xen: Fix another wrong size directive Greg KH
2011-03-26 0:03 ` [08/35] hwmon: (sht15) Fix integer overflow in humidity calculation Greg KH
2011-03-26 0:03 ` [09/35] ALSA: hda - VIA: Fix stereo mixer recording no sound issue Greg KH
2011-03-26 0:03 ` [10/35] ALSA: hda - VIA: Add missing support for VT1718S in A-A path Greg KH
2011-03-26 0:03 ` [11/35] aio: wake all waiters when destroying ctx Greg KH
2011-03-26 0:03 ` [12/35] shmem: let shared anonymous be nonlinear again Greg KH
2011-03-26 0:03 ` [13/35] PCI hotplug: acpiphp: set current_state to D0 in register_slot Greg KH
2011-03-26 0:03 ` [14/35] xen: set max_pfn_mapped to the last pfn mapped Greg KH
2011-03-26 0:03 ` [15/35] PCI: return correct value when writing to the "reset" attribute Greg KH
2011-03-26 0:03 ` [16/35] [PATCH] Revert "intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang" Greg KH
2011-03-26 0:03 ` [17/35] Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code Greg KH
2011-03-26 0:03 ` [18/35] ext3: skip orphan cleanup on rocompat fs Greg KH
2011-03-26 0:03 ` [19/35] procfs: fix /proc/<pid>/maps heap check Greg KH
2011-03-26 0:03 ` [20/35] proc: protect mm start_code/end_code in /proc/pid/stat Greg KH
2011-03-26 0:03 ` [21/35] fbcon: Bugfix soft cursor detection in Tile Blitting Greg KH
2011-03-26 0:03 ` [22/35] nfsd41: modify the members value of nfsd4_op_flags Greg KH
2011-03-26 0:03 ` [23/35] nfsd: wrong index used in inner loop Greg KH
2011-03-26 0:03 ` [24/35] [media] uvcvideo: Fix uvc_fixup_video_ctrl() format search Greg KH
2011-03-26 0:03 ` [25/35] [media] uvcvideo: Fix descriptor parsing for video output devices Greg KH
2011-03-26 0:03 ` [26/35] ehci-hcd: Bug fix: dont set a QHs Halt bit Greg KH
2011-03-26 0:03 ` [27/35] USB: uss720 fixup refcount position Greg KH
2011-03-26 0:04 ` [28/35] USB: cdc-acm: fix memory corruption / panic Greg KH
2011-03-26 0:04 ` [29/35] USB: cdc-acm: fix potential null-pointer dereference Greg KH
2011-03-26 0:04 ` [30/35] USB: cdc-acm: fix potential null-pointer dereference on disconnect Greg KH
2011-03-26 0:04 ` [31/35] Input: xen-kbdfront - advertise either absolute or relative coordinates Greg KH
2011-03-26 0:04 ` [32/35] x86: Cleanup highmap after brk is concluded Greg KH
2011-03-26 0:04 ` [33/35] SUNRPC: Never reuse the socket port after an xs_close() Greg KH
2011-03-26 0:04 ` [34/35] fs: call security_d_instantiate in d_obtain_alias V2 Greg KH
2011-03-26 0:24 ` Casey Schaufler [this message]
2011-03-26 16:11 ` Josef Bacik
2011-03-26 0:04 ` [35/35] dcdbas: force SMI to happen when expected Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D8D3258.5090804@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cebbert@redhat.com \
--cc=gregkh@suse.de \
--cc=josef@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.