From patchwork Mon Feb 29 16:10:23 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 8456061 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 7CC539F52D for ; Mon, 29 Feb 2016 16:44:04 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id E0D712021A for ; Mon, 29 Feb 2016 16:44:03 +0000 (UTC) Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 81E9A201B9 for ; Mon, 29 Feb 2016 16:44:02 +0000 (UTC) X-TM-IMSS-Message-ID: <50e40ec80000718f@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1) id 50e40ec80000718f ; Mon, 29 Feb 2016 11:10:38 -0500 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u1TG9V6h020354; Mon, 29 Feb 2016 11:09:55 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u1TG9Uhd183096 for ; Mon, 29 Feb 2016 11:09:30 -0500 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u1TG9Uuk020347; Mon, 29 Feb 2016 11:09:30 -0500 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [PATCH] libselinux: only mount /proc if necessary Date: Mon, 29 Feb 2016 11:10:23 -0500 Message-Id: <1456762223-8702-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.4.3 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-TM-AS-MML: disable X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Commit 9df498884665d ("libselinux: Mount procfs before checking /proc/filesystems") changed selinuxfs_exists() to always try mounting /proc before reading /proc/filesystems. However, this is unnecessary if /proc is already mounted and can produce avc denials if the process is not allowed to perform the mount. Check first to see if /proc is already present and only try the mount if it is not. Signed-off-by: Stephen Smalley --- libselinux/src/init.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libselinux/src/init.c b/libselinux/src/init.c index 3db4de0..3530594 100644 --- a/libselinux/src/init.c +++ b/libselinux/src/init.c @@ -12,6 +12,7 @@ #include #include #include +#include #include "dso.h" #include "policy.h" @@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt) int selinuxfs_exists(void) { - int exists = 0, mnt_rc = 0; + int exists = 0, mnt_rc = -1, rc; + struct statfs sb; FILE *fp = NULL; char *buf = NULL; size_t len; ssize_t num; - mnt_rc = mount("proc", "/proc", "proc", 0, 0); + do { + rc = statfs("/proc", &sb); + } while (rc < 0 && errno == EINTR); + + if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC)) + mnt_rc = mount("proc", "/proc", "proc", 0, 0); fp = fopen("/proc/filesystems", "r"); if (!fp) {