@@ -824,7 +824,7 @@ static void ib_policy_change_task(struct work_struct *work)
static int ib_security_change(struct notifier_block *nb, unsigned long event,
void *lsm_data)
{
- if (event != LSM_POLICY_CHANGE)
+ if (event != LSM_POLICY_CHANGE && event != LSM_STATE_CHANGE)
return NOTIFY_DONE;
schedule_work(&ib_policy_change_work);
@@ -75,6 +75,7 @@ struct timezone;
enum lsm_event {
LSM_POLICY_CHANGE,
+ LSM_STATE_CHANGE,
};
/* These functions are in security/commoncap.c */
@@ -982,7 +982,7 @@ int avc_ss_reset(struct selinux_avc *avc, u32 seqno)
avc_flush(avc);
for (c = avc_callbacks; c; c = c->next) {
- if (c->events & AVC_CALLBACK_RESET) {
+ if (c->events & AVC_CALLBACK_RESET && seqno) {
tmprc = c->callback(AVC_CALLBACK_RESET);
/* save the first error encountered for the return
value and continue processing the callbacks */
@@ -178,7 +178,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
selnl_notify_setenforce(new_value);
selinux_status_update_setenforce(state, new_value);
if (!new_value)
- call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
+ call_blocking_lsm_notifier(LSM_STATE_CHANGE, NULL);
}
length = count;
out:
This patch introduces a new event type called LSM_STATE_CHANGE to distinguish between state change and policy change. The purpose of this patch is to let upper LSMs know when they can get the label assigned by the lower LSMs (e.g. SELinux) with security_secid_to_secctx(). Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- drivers/infiniband/core/device.c | 2 +- include/linux/security.h | 1 + security/selinux/avc.c | 2 +- security/selinux/selinuxfs.c | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-)