selinux: revert "stop passing MAY_NOT_BLOCK to the AVC upon follow_link"

commit 1a37079c236d55fb31ebbf4b59945dab8ec8764c upstream. This reverts commit e46e01eebbbc ("selinux: stop passing MAY_NOT_BLOCK to the AVC upon follow_link"). The correct fix is to instead fall back to ref-walk if audit is required irrespective of the specific audit data type. This is done in the next commit. Fixes: e46e01eebbbc ("selinux: stop passing MAY_NOT_BLOCK to the AVC upon follow_link") Reported-by: Will Deacon <will@kernel.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Stephen Smalley <sds@tycho.nsa.gov> 2019-11-22 12:22:44 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-02-14 16:53:06 -0500
commit: f08a5e60bc855952f09bee7c5282e6dedf17d9dc (patch)
tree: 1bd6223c1693c3f16f189b3c7836900954b97e39 /security/selinux/hooks.c
parent: 8cec0fa22202ce1935c296f8573aa15968943b1e (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 116b4d644f689..710a4fffa66f4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3004,8 +3004,9 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
 	if (IS_ERR(isec))
 		return PTR_ERR(isec);
 
-	return avc_has_perm(&selinux_state,
-			    sid, isec->sid, isec->sclass, FILE__READ, &ad);
+	return avc_has_perm_flags(&selinux_state,
+				  sid, isec->sid, isec->sclass, FILE__READ, &ad,
+				  rcu ? MAY_NOT_BLOCK : 0);
 }
 
 static noinline int audit_inode_permission(struct inode *inode,
author	Stephen Smalley <sds@tycho.nsa.gov>	2019-11-22 12:22:44 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-02-14 16:53:06 -0500
commit	f08a5e60bc855952f09bee7c5282e6dedf17d9dc (patch)
tree	1bd6223c1693c3f16f189b3c7836900954b97e39 /security/selinux/hooks.c
parent	8cec0fa22202ce1935c296f8573aa15968943b1e (diff)