From b1794f76d9e8b09b0b468144fab0fda003ddcaf7 Mon Sep 17 00:00:00 2001 From: Kyle McMartin Date: Sat, 18 Dec 2010 10:48:05 -0500 Subject: [PATCH] fs-call-security_d_instantiate-in-d_obtain_alias (#662344) --- ...rity_d_instantiate-in-d_obtain_alias.patch | 65 +++++++++++++++++++ kernel.spec | 9 ++- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 fs-call-security_d_instantiate-in-d_obtain_alias.patch diff --git a/fs-call-security_d_instantiate-in-d_obtain_alias.patch b/fs-call-security_d_instantiate-in-d_obtain_alias.patch new file mode 100644 index 000000000..b151c0a70 --- /dev/null +++ b/fs-call-security_d_instantiate-in-d_obtain_alias.patch @@ -0,0 +1,65 @@ +From linux-fsdevel-owner@vger.kernel.org Thu Nov 18 21:03:11 2010 +From: Josef Bacik +To: linux-fsdevel@vger.kernel.org, eparis@redhat.com, + linux-kernel@vger.kernel.org, sds@tycho.nsa.gov, + selinux@tycho.nsa.gov, bfields@fieldses.org +Subject: [PATCH] fs: call security_d_instantiate in d_obtain_alias V2 +Date: Thu, 18 Nov 2010 20:52:55 -0500 +Message-Id: <1290131575-2489-1-git-send-email-josef@redhat.com> +X-Mailing-List: linux-fsdevel@vger.kernel.org + +While trying to track down some NFS problems with BTRFS, I kept noticing I was +getting -EACCESS for no apparent reason. Eric Paris and printk() helped me +figure out that it was SELinux that was giving me grief, with the following +denial + +type=AVC msg=audit(1290013638.413:95): avc: denied { 0x800000 } for pid=1772 +comm="nfsd" name="" dev=sda1 ino=256 scontext=system_u:system_r:kernel_t:s0 +tcontext=system_u:object_r:unlabeled_t:s0 tclass=file + +Turns out this is because in d_obtain_alias if we can't find an alias we create +one and do all the normal instantiation stuff, but we don't do the +security_d_instantiate. + +Usually we are protected from getting a hashed dentry that hasn't yet run +security_d_instantiate() by the parent's i_mutex, but obviously this isn't an +option there, so in order to deal with the case that a second thread comes in +and finds our new dentry before we get to run security_d_instantiate(), we go +ahead and call it if we find a dentry already. Eric assures me that this is ok +as the code checks to see if the dentry has been initialized already so calling +security_d_instantiate() against the same dentry multiple times is ok. With +this patch I'm no longer getting errant -EACCESS values. + +Signed-off-by: Josef Bacik +--- +V1->V2: +-added second security_d_instantiate() call + + fs/dcache.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/fs/dcache.c b/fs/dcache.c +index 23702a9..119d489 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1201,9 +1201,12 @@ struct dentry *d_obtain_alias(struct inode *inode) + spin_unlock(&tmp->d_lock); + + spin_unlock(&dcache_lock); ++ security_d_instantiate(tmp, inode); + return tmp; + + out_iput: ++ if (res && !IS_ERR(res)) ++ security_d_instantiate(res, inode); + iput(inode); + return res; + } +-- +1.6.6.1 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + diff --git a/kernel.spec b/kernel.spec index e7e4df2f9..a985dba09 100644 --- a/kernel.spec +++ b/kernel.spec @@ -748,6 +748,8 @@ Patch12435: btrfs-fix-error-handling-in-btrfs_get_sb.patch Patch12436: btrfs-fix-race-between-btrfs_get_sb-and-umount.patch Patch12437: btrfs-setup-blank-root-and-fs_info-for-mount-time.patch +Patch12438: fs-call-security_d_instantiate-in-d_obtain_alias.patch + %endif BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root @@ -1194,6 +1196,9 @@ ApplyPatch linux-2.6-32bit-mmap-exec-randomization.patch # bugfixes to drivers and filesystems # +#rhbz#662344 +ApplyPatch fs-call-security_d_instantiate-in-d_obtain_alias.patch + # ext4 # xfs @@ -1205,7 +1210,6 @@ ApplyPatch btrfs-fix-error-handling-in-btrfs_get_sb.patch ApplyPatch btrfs-fix-race-between-btrfs_get_sb-and-umount.patch ApplyPatch btrfs-setup-blank-root-and-fs_info-for-mount-time.patch - # eCryptfs # NFSv4 @@ -2010,6 +2014,9 @@ fi # || || %changelog +* Sat Dec 18 2010 Kyle McMartin +- Fix SELinux issues with NFS/btrfs and/or xfsdump. (#662344) + * Fri Dec 10 2010 Kyle McMartin - pci-disable-aspm-if-bios-asks-us-to.patch: Patch from mjg59 to disable ASPM if the BIOS has disabled it, but enabled it already on some devices.