selinux: change security_compute_sid to return the ssid or tsid on match

If the end result of a security_compute_sid() computation matches the
ssid or tsid, return that SID rather than looking it up again. This
avoids the problem of multiple initial SIDs that map to the same
context.

Cc: [email protected]
Reported-by: Guido Trentalancia <[email protected]>
Fixes: ae25485 ("selinux: introduce an initial SID for early boot processes")
Signed-off-by: Stephen Smalley <[email protected]>
Tested-by: Guido Trentalancia <[email protected]>
Signed-off-by: Paul Moore <[email protected]>

Author: stephensmalley

security/selinux/ss/services.c

@@ -1909,11 +1909,17 @@ static int security_compute_sid(u32 ssid,
 			goto out_unlock;
 	}
 	/* Obtain the sid for the context. */
-	rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid);
-	if (rc == -ESTALE) {
-		rcu_read_unlock();
-		context_destroy(&newcontext);
-		goto retry;
+	if (context_equal(scontext, &newcontext))
+		*out_sid = ssid;
+	else if (context_equal(tcontext, &newcontext))
+		*out_sid = tsid;
+	else {
+		rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid);
+		if (rc == -ESTALE) {
+			rcu_read_unlock();
+			context_destroy(&newcontext);
+			goto retry;
+		}
 	}
 out_unlock:
 	rcu_read_unlock();