From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Maurizio Lombardi <mlombard@redhat.com>,
Mike Christie <michael.christie@oracle.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 47/84] scsi: target: Fix SELinux error when systemd-modules loads the target module
Date: Tue, 14 May 2024 12:19:58 +0200 [thread overview]
Message-ID: <20240514100953.458848852@linuxfoundation.org> (raw)
In-Reply-To: <20240514100951.686412426@linuxfoundation.org>
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maurizio Lombardi <mlombard@redhat.com>
[ Upstream commit 97a54ef596c3fd24ec2b227ba8aaf2cf5415e779 ]
If the systemd-modules service loads the target module, the credentials of
that userspace process will be used to validate the access to the target db
directory. SELinux will prevent it, reporting an error like the following:
kernel: audit: type=1400 audit(1676301082.205:4): avc: denied { read }
for pid=1020 comm="systemd-modules" name="target" dev="dm-3"
ino=4657583 scontext=system_u:system_r:systemd_modules_load_t:s0
tcontext=system_u:object_r:targetd_etc_rw_t:s0 tclass=dir permissive=0
Fix the error by using the kernel credentials to access the db directory
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Link: https://lore.kernel.org/r/20240215143944.847184-2-mlombard@redhat.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_configfs.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
index e6e1755978602..4edabab65b879 100644
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -3458,6 +3458,8 @@ static int __init target_core_init_configfs(void)
{
struct configfs_subsystem *subsys = &target_core_fabrics;
struct t10_alua_lu_gp *lu_gp;
+ struct cred *kern_cred;
+ const struct cred *old_cred;
int ret;
pr_debug("TARGET_CORE[0]: Loading Generic Kernel Storage"
@@ -3534,11 +3536,21 @@ static int __init target_core_init_configfs(void)
if (ret < 0)
goto out;
+ /* We use the kernel credentials to access the target directory */
+ kern_cred = prepare_kernel_cred(&init_task);
+ if (!kern_cred) {
+ ret = -ENOMEM;
+ goto out;
+ }
+ old_cred = override_creds(kern_cred);
target_init_dbroot();
+ revert_creds(old_cred);
+ put_cred(kern_cred);
return 0;
out:
+ target_xcopy_release_pt();
configfs_unregister_subsystem(subsys);
core_dev_release_virtual_lun0();
rd_module_exit();
--
2.43.0
next prev parent reply other threads:[~2024-05-14 11:44 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-14 10:19 [PATCH 5.4 00/84] 5.4.276-rc1 review Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 01/84] dmaengine: pl330: issue_pending waits until WFP state Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 02/84] dmaengine: Revert "dmaengine: pl330: issue_pending waits until WFP state" Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 03/84] wifi: nl80211: dont free NULL coalescing rule Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 04/84] pinctrl: core: delete incorrect free in pinctrl_enable() Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 05/84] pinctrl: mediatek: Check gpio pin number and use binary search in mtk_hw_pin_field_lookup() Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 06/84] pinctrl: mediatek: Supporting driving setting without mapping current to register value Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 07/84] pinctrl: mediatek: Refine mtk_pinconf_get() and mtk_pinconf_set() Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 08/84] pinctrl: mediatek: Refine mtk_pinconf_get() Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 09/84] pinctrl: mediatek: Backward compatible to previous Mediateks bias-pull usage Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 10/84] pinctrl: mediatek: remove shadow variable declaration Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 11/84] pinctrl: mediatek: paris: Fix PIN_CONFIG_BIAS_* readback Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 12/84] pinctrl: mediatek: paris: Rework mtk_pinconf_{get,set} switch/case logic Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 13/84] pinctrl: mediatek: paris: Rework support for PIN_CONFIG_{INPUT,OUTPUT}_ENABLE Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 14/84] sunrpc: add a struct rpc_stats arg to rpc_create_args Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 15/84] nfs: expose /proc/net/sunrpc/nfs in net namespaces Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 16/84] nfs: make the rpc_stat per net namespace Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 17/84] nfs: Handle error of rpc_proc_register() in nfs_net_init() Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 18/84] power: rt9455: hide unused rt9455_boost_voltage_values Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 19/84] pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map() Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 20/84] s390/mm: Fix storage key clearing for guest huge pages Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 21/84] s390/mm: Fix clearing storage keys for " Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 22/84] bna: ensure the copied buf is NUL terminated Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 23/84] nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment() Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 24/84] net l2tp: drop flow hash on forward Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 25/84] net: qede: use return from qede_parse_flow_attr() for flow_spec Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 26/84] ASoC: meson: axg-card: make links nonatomic Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 27/84] ASoC: meson: axg-tdm-interface: manage formatters in trigger Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 28/84] net: dsa: mv88e6xxx: Add number of MACs in the ATU Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 29/84] net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341 Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 30/84] net: bridge: fix multicast-to-unicast with fraglist GSO Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 31/84] tipc: fix a possible memleak in tipc_buf_append Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 32/84] clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 33/84] scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 34/84] gfs2: Fix invalid metadata access in punch_hole Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 35/84] wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 36/84] wifi: cfg80211: fix rdev_dump_mpp() arguments order Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 37/84] net: mark racy access on sk->sk_rcvbuf Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 38/84] scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 39/84] ALSA: line6: Zero-initialize message buffers Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 40/84] net: bcmgenet: Reset RBUF on first open Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 41/84] ata: sata_gemini: Check clk_enable() result Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 42/84] firewire: ohci: mask bus reset interrupts between ISR and bottom half Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 43/84] tools/power turbostat: Fix added raw MSR output Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 44/84] tools/power turbostat: Fix Bzy_MHz documentation typo Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 45/84] btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve Greg Kroah-Hartman
2024-05-14 10:19 ` [PATCH 5.4 46/84] btrfs: always clear PERTRANS metadata during commit Greg Kroah-Hartman
2024-05-14 10:19 ` Greg Kroah-Hartman [this message]
2024-05-14 10:19 ` [PATCH 5.4 48/84] gpu: host1x: Do not setup DMA for virtual devices Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 49/84] MIPS: scall: Save thread_info.syscall unconditionally on entry Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 50/84] selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 51/84] fs/9p: only translate RWX permissions for plain 9P2000 Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 52/84] fs/9p: translate O_TRUNC into OTRUNC Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 53/84] 9p: explicitly deny setlease attempts Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 54/84] gpio: wcove: Use -ENOTSUPP consistently Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 55/84] gpio: crystalcove: " Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 56/84] clk: Dont hold prepare_lock when calling kref_put() Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 57/84] fs/9p: drop inodes immediately on non-.L too Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 58/84] net:usb:qmi_wwan: support Rolling modules Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 59/84] pinctrl: mediatek: Fix fallback call path Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 60/84] ASoC: meson: axg-card: Fix nonatomic links Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 61/84] ASoC: meson: axg-tdm-interface: Fix formatters in trigger" Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 62/84] xfrm: Preserve vlan tags for transport mode software GRO Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 63/84] tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 64/84] tcp: Use refcount_inc_not_zero() in tcp_twsk_unique() Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 65/84] Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 66/84] Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 67/84] rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 68/84] phonet: fix rtm_phonet_notify() skb allocation Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 69/84] net: bridge: fix corrupted ethernet header on multicast-to-unicast Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 70/84] ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 71/84] net: qede: sanitize rc in qede_add_tc_flower_fltr() Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 72/84] net: qede: use return from qede_parse_flow_attr() for flower Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 73/84] firewire: nosy: ensure user_length is taken into account when fetching packet contents Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 74/84] usb: gadget: composite: fix OS descriptors w_value logic Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 75/84] usb: gadget: f_fs: Fix a race condition when processing setup packets Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 76/84] tipc: fix UAF in error path Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 77/84] dyndbg: fix old BUG_ON in >control parser Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 78/84] drm/vmwgfx: Fix invalid reads in fence signaled events Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 79/84] net: fix out-of-bounds access in ops_init Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 80/84] regulator: core: fix debugfs creation regression Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 81/84] pinctrl: mediatek: Fix fallback behavior for bias_set_combo Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 82/84] pinctrl: mediatek: Fix some off by one bugs Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 83/84] pinctrl: mediatek: remove set but not used variable e Greg Kroah-Hartman
2024-05-14 10:20 ` [PATCH 5.4 84/84] pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback Greg Kroah-Hartman
2024-05-14 16:29 ` [PATCH 5.4 00/84] 5.4.276-rc1 review Harshit Mogalapalli
2024-05-14 22:32 ` Florian Fainelli
2024-05-15 15:08 ` Shuah Khan
2024-05-16 7:41 ` Naresh Kamboju
2024-05-16 12:30 ` Jon Hunter
2024-05-16 19:57 ` Shreeya Patel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240514100953.458848852@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=martin.petersen@oracle.com \
--cc=michael.christie@oracle.com \
--cc=mlombard@redhat.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox