Commit a6748458 authored Oct 31, 2024 by Zhen Lei Committed by Gu Bowen Oct 31, 2024

selinux: add the processing of the failure of avc_add_xperms_decision()

stable inclusion
from stable-v6.6.48
commit 5295951b53bd372767600a0296b01ee031ca1b1b
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IB0X4B

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5295951b53bd372767600a0296b01ee031ca1b1b



--------------------------------

commit 6dd1e4c045afa6a4ba5d46f044c83bd357c593c2 upstream.

When avc_add_xperms_decision() fails, the information recorded by the new
avc node is incomplete. In this case, the new avc node should be released
instead of replacing the old avc node.

Cc: stable@vger.kernel.org
Fixes: fa1aa143 ("selinux: extended permissions for ioctls")
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Conflicts:
	security/selinux/avc.c
[Due to commit e67b7985 (selinux: stop passing selinux_state pointers
and their offspring) stop passing selinux_state pointers, which not merge
in this version, so add pointer to function parameter.]
Signed-off-by: Gu Bowen <gubowen5@huawei.com>

parent ef5d1e35

security/selinux/avc.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -927,7 +927,11 @@ static int avc_update_node(struct selinux_avc *avc,
		node->ae.avd.auditdeny &= ~perms;
		break;
		case AVC_CALLBACK_ADD_XPERMS:
		avc_add_xperms_decision(node, xpd);
		rc = avc_add_xperms_decision(node, xpd);
		if (rc) {
		avc_node_kill(avc, node);
		goto out_unlock;
		}
		break;
		}
		avc_node_replace(avc, node, orig);