selinux: fix labeling of /proc/net inodes

The proc net rewrite had a side effect on selinux, leading it to mislabel
the /proc/net inodes, thereby leading to incorrect denials.  Fix
security_genfs_sid to ignore extra leading / characters in the path supplied
by selinux_proc_get_sid since we now get "//net/..." rather than "/net/...".

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index f83b19daed16181a86ede00b8d1455432f05acec..4bf715d4cf29e2090ab2d7d97b346a5e4087f9dd 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1744,6 +1744,9 @@ int security_genfs_sid(const char *fstype,
        struct ocontext *c;
        int rc = 0, cmp = 0;
 
+       while (path[0] == '/' && path[1] == '/')
+               path++;
+
        POLICY_RDLOCK;
 
        for (genfs = policydb.genfs; genfs; genfs = genfs->next) {