• Josef Bacik's avatar
    fs: call security_d_instantiate in d_obtain_alias V2 · 24ff6663
    Josef Bacik authored
    While trying to track down some NFS problems with BTRFS, I kept noticing I was
    getting -EACCESS for no apparent reason.  Eric Paris and printk() helped me
    figure out that it was SELinux that was giving me grief, with the following
    denial
    
    type=AVC msg=audit(1290013638.413:95): avc:  denied  { 0x800000 } for  pid=1772
    comm="nfsd" name="" dev=sda1 ino=256 scontext=system_u:system_r:kernel_t:s0
    tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
    
    Turns out this is because in d_obtain_alias if we can't find an alias we create
    one and do all the normal instantiation stuff, but we don't do the
    security_d_instantiate.
    
    Usually we are protected from getting a hashed dentry that hasn't yet run
    security_d_instantiate() by the parent's i_mutex, but obviously this isn't an
    option there, so in order to deal with the case that a second thread comes in
    and finds our new dentry before we get to run security_d_instantiate(), we go
    ahead and call it if we find a dentry already.  Eric assures me that this is ok
    as the code checks to see if the dentry has been initialized already so calling
    security_d_instantiate() against the same dentry multiple times is ok.  With
    this patch I'm no longer getting errant -EACCESS values.
    Signed-off-by: default avatarJosef Bacik <josef@redhat.com>
    Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    24ff6663
dcache.c 78.3 KB