Re: BUG at security/selinux/avc.c:883 (was: Re: linux-next: Treefor July 17: early crash on x86-64)

From: Stephen Smalley
Date: Mon Jul 28 2008 - 13:34:37 EST

Next message: Jack Steiner: "Re: GRU driver feedback"
Previous message: Justin Mattock: "Re: NETDEV WATCHDOG: wifi0: transmit timed out"
Next in thread: James Morris: "Re: BUG at security/selinux/avc.c:883 (was: Re: linux-next: Treefor July 17: early crash on x86-64)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 2008-07-20 at 13:15 +0100, Al Viro wrote:
> On Sun, Jul 20, 2008 at 11:42:53AM +0200, Thomas Meyer wrote:
> > Am Sonntag, den 20.07.2008, 05:54 +1000 schrieb James Morris:
> > > On Sat, 19 Jul 2008, Rafael J. Wysocki wrote:
> > >
> > > > > vfs-next/net-next conflict; apply the patch below on top of the
> > > merge.
> > > >
> > > > That helped, thanks.
> > > >
> > > > But next it ran into the BUG_ON() in line 883 of
> > > security/selinux/avc.c .
> > > > Disabling selinux made the kernel boot, finally.
> > >
> > > Ugh, that's not supposed to happen. Where was this in the boot? Do
> > > you
> > > have a console log?
>
> Argh... Fallout from ->permission() patch series. I've folded that into
> rebase (along with Randy's compile fixes and missing bit in capability.c
> in ->inode_permission() patch; AFAICS takes care of all mismerges as well).
> In the meanwhile, see the patch below on top of next-20080718:
>
> diff --git a/fs/namei.c b/fs/namei.c
> index a15c155..c0a64e2 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -286,7 +286,8 @@ int permission(struct inode *inode, int mask, struct nameidata *nd)
> if (retval)
> return retval;
>
> - return security_inode_permission(inode, mask);
> + return security_inode_permission(inode,
> + mask & (MAY_READ|MAY_WRITE|MAY_EXEC));
> }
>
> /**

SELinux needs MAY_APPEND to be passed down to the security hook.
Otherwise, we get permission denials when only append permission is
granted by policy even if the opening process specified O_APPEND.
Shows up as a regression in the ltp selinux testsuite, fixed by
this patch.

Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>

---

fs/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/namei.c b/fs/namei.c
index a7b0a0b..b91e973 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -274,7 +274,7 @@ int inode_permission(struct inode *inode, int mask)
return retval;

return security_inode_permission(inode,
- mask & (MAY_READ|MAY_WRITE|MAY_EXEC));
+ mask & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND));
}

/**

--
Stephen Smalley
National Security Agency

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jack Steiner: "Re: GRU driver feedback"
Previous message: Justin Mattock: "Re: NETDEV WATCHDOG: wifi0: transmit timed out"
Next in thread: James Morris: "Re: BUG at security/selinux/avc.c:883 (was: Re: linux-next: Treefor July 17: early crash on x86-64)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]