git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Stephen Smalley <sds@tycho.nsa.gov>
	Tue, 4 Sep 2018 20:51:36 +0000 (16:51 -0400)
committer	Juerg Haefliger <juergh@canonical.com>
	Wed, 24 Jul 2019 01:58:22 +0000 (19:58 -0600)
commit	7c5f34453cf0634fe1509998aff8c24366bf5c6e
tree	5d518ff751a11ebd39017a04e2d860a9e749fcd2	tree
parent	72455d1735315341b76cb94a33736873ca706370	commit \| diff

selinux: fix mounting of cgroup2 under older policies

BugLink: https://bugs.launchpad.net/bugs/1836802
commit 7bb185edb0306bb90029a5fa6b9cff900ffdbf4b upstream.

commit 901ef845fa2469c ("selinux: allow per-file labeling for cgroupfs")
broke mounting of cgroup2 under older SELinux policies which lacked
a genfscon rule for cgroup2. This prevents mounting of cgroup2 even
when SELinux is permissive.

Change the handling when there is no genfscon rule in policy to
just mark the inode unlabeled and not return an error to the caller.
This permits mounting and access if allowed by policy, e.g. to
unconfined domains.

I also considered changing the behavior of security_genfs_sid() to
never return -ENOENT, but the current behavior is relied upon by
other callers to perform caller-specific handling.

Fixes: 901ef845fa2469c ("selinux: allow per-file labeling for cgroupfs")
CC: <stable@vger.kernel.org>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Waiman Long <longman@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Tested-by: Waiman Long <longman@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>