selinux: delay inode label lookup as long as possible

Since looking up an inode's label can result in revalidation, delay
the lookup as long as possible to limit the performance impact.

Signed-off-by: Paul Moore <paul@paul-moore.com>
Orabug: 25684456

(backport upstream commit 20cdef8d57591ec8674f65ccfe555aca5fd10b64)

Signed-off-by: Anand Jain <anand.jain@oracle.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
conflict fix
  security/selinux/hooks.c

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7f685f04461928770789b327ff01d7c8f89e99cc..8b851f76a377c449840169bdd9b1ae8d64ba08b5 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1710,7 +1710,6 @@ static int selinux_determine_inode_label(struct inode *dir,
                                         u32 *_new_isid)
 {
        const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
-       const struct inode_security_struct *dsec = inode_security(dir);
        const struct task_security_struct *tsec = current_security();
 
        if ((sbsec->flags & SE_SBINITIALIZED) &&
@@ -1720,6 +1719,7 @@ static int selinux_determine_inode_label(struct inode *dir,
                   tsec->create_sid) {
                *_new_isid = tsec->create_sid;
        } else {
+               const struct inode_security_struct *dsec = inode_security(dir);
                return security_transition_sid(tsec->sid, dsec->sid, tclass,
                                               name, _new_isid);
        }
@@ -2004,7 +2004,7 @@ static int selinux_binder_transfer_file(struct task_struct *from,
        u32 sid = task_sid(to);
        struct file_security_struct *fsec = file->f_security;
        struct dentry *dentry = file->f_path.dentry;
-       struct inode_security_struct *isec = backing_inode_security(dentry);
+       struct inode_security_struct *isec;
        struct common_audit_data ad;
        int rc;
 
@@ -2023,6 +2023,7 @@ static int selinux_binder_transfer_file(struct task_struct *from,
        if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
                return 0;
 
+       isec = backing_inode_security(dentry);
        return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
                            &ad);
 }
@@ -2995,7 +2996,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
                                  const void *value, size_t size, int flags)
 {
        struct inode *inode = d_backing_inode(dentry);
-       struct inode_security_struct *isec = backing_inode_security(dentry);
+       struct inode_security_struct *isec;
        struct superblock_security_struct *sbsec;
        struct common_audit_data ad;
        u32 newsid, sid = current_sid();
@@ -3014,6 +3015,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
        ad.type = LSM_AUDIT_DATA_DENTRY;
        ad.u.dentry = dentry;
 
+       isec = backing_inode_security(dentry);
        rc = avc_has_perm(sid, isec->sid, isec->sclass,
                          FILE__RELABELFROM, &ad);
        if (rc)
@@ -3072,7 +3074,7 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
                                        int flags)
 {
        struct inode *inode = d_backing_inode(dentry);
-       struct inode_security_struct *isec = backing_inode_security(dentry);
+       struct inode_security_struct *isec;
        u32 newsid;
        int rc;
 
@@ -3089,6 +3091,7 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
                return;
        }
 
+       isec = backing_inode_security(dentry);
        isec->sclass = inode_mode_to_security_class(inode->i_mode);
        isec->sid = newsid;
        isec->initialized = 1;
@@ -3130,7 +3133,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
        u32 size;
        int error;
        char *context = NULL;
-       struct inode_security_struct *isec = inode_security(inode);
+       struct inode_security_struct *isec;
 
        if (strcmp(name, XATTR_SELINUX_SUFFIX))
                return -EOPNOTSUPP;
@@ -3146,6 +3149,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
         */
        error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
                                SECURITY_CAP_NOAUDIT);
+       isec = inode_security(inode);
        if (!error)
                error = security_sid_to_context_force(isec->sid, &context,
                                                      &size);