Commit Graph

8 Commits

Author SHA1 Message Date
Ondrej Mosnacek
c62a3ee57d selinux: never allow relabeling on context mounts
commit a83d6ddaebe541570291205cb538e35ad4ff94f9 upstream.

In the SECURITY_FS_USE_MNTPOINT case we never want to allow relabeling
files/directories, so we should never set the SBLABEL_MNT flag. The
'special handling' in selinux_is_sblabel_mnt() is only intended for when
the behavior is set to SECURITY_FS_USE_GENFS.

While there, make the logic in selinux_is_sblabel_mnt() more explicit
and add a BUILD_BUG_ON() to make sure that introducing a new
SECURITY_FS_USE_* forces a review of the logic.

Fixes: d5f3a5f6e7e7 ("selinux: add security in-core xattr support for pstore and debugfs")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-06 16:42:43 +02:00
prashantpaddune
65ec1a57de Merge branch 'master' of https://github.com/prashantpaddune/android_device_samsung_a7y18lte 2020-04-06 19:42:12 +05:30
prashantpaddune
c3a97e0a7f Revert "selinux: mega switch"
This reverts commit 25ec2170d7.
2020-04-06 19:40:33 +05:30
prashantpaddune
35df3f88b7 Revert "security: defex: set Defex to Permissive status"
This reverts commit 8dc78907ea.
2020-04-06 19:40:02 +05:30
Jann Horn
843c0a22b2 device_cgroup: fix RCU imbalance in error case
commit 0fcc4c8c044e117ac126ab6df4138ea9a67fa2a9 upstream.

When dev_exception_add() returns an error (due to a failed memory
allocation), make sure that we move the RCU preemption count back to where
it was before we were called. We dropped the RCU read lock inside the loop
body, so we can't just "break".

sparse complains about this, too:

$ make -s C=2 security/device_cgroup.o
./include/linux/rcupdate.h:647:9: warning: context imbalance in
'propagate_exception' - unexpected unlock

Fixes: d591fb56618f ("device_cgroup: simplify cgroup tree walk in propagate_exception()")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-06 15:57:12 +02:00
prashantpaddune
8dc78907ea security: defex: set Defex to Permissive status
As discovered by @topjohnwu, new Samsung Processes protection blocks cpboot-daemon to run when Magisk is installed, preventing baseband to work. Set Defex to Permissive to avoid this and future issues

Signed-off-by: BlackMesa123 <brother12@hotmail.it>
2020-04-05 19:34:28 +05:30
BlackMesa123
25ec2170d7 selinux: mega switch 2020-04-05 19:32:55 +05:30
prashantpaddune
3bca37f224 A750FXXU4CTBC 2020-03-27 21:51:54 +05:30