Re: [PATCH 5.4 85/96] selinux: revert "stop passing MAY_NOT_BLOCK to the AVC upon follow_link"

From: Greg Kroah-Hartman
Date: Thu Feb 13 2020 - 11:27:25 EST


On Thu, Feb 13, 2020 at 11:01:41AM -0500, Stephen Smalley wrote:
> On 2/13/20 10:21 AM, Greg Kroah-Hartman wrote:
> > From: Stephen Smalley <sds@xxxxxxxxxxxxx>
> >
> > commit 1a37079c236d55fb31ebbf4b59945dab8ec8764c upstream.
> >
> > This reverts commit e46e01eebbbc ("selinux: stop passing MAY_NOT_BLOCK
> > to the AVC upon follow_link"). The correct fix is to instead fall
> > back to ref-walk if audit is required irrespective of the specific
> > audit data type. This is done in the next commit.
> >
> > Fixes: e46e01eebbbc ("selinux: stop passing MAY_NOT_BLOCK to the AVC upon follow_link")
> > Reported-by: Will Deacon <will@xxxxxxxxxx>
> > Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
>
> This patch should be accompanied by commit
> 0188d5c025ca8fe756ba3193bd7d150139af5a88 ("selinux: fall back to ref-walk if
> audit is required"). The former is reverting an incorrect fix for
> bda0be7ad994 ("security: make inode_follow_link RCU-walk aware"), the latter
> is providing the correct fix for it.

Thanks for letting me know, now queued up for both trees.

greg k-h