From 68979e578cbea71211af45685561df52232623d1 Mon Sep 17 00:00:00 2001
From: Bernhard Voelker <mail@bernhard-voelker.de>
Date: Sat, 25 Dec 2021 16:14:59 +0100
Subject: find: avoid '-D stat' side effect on SELinux handling with -L or -H

With the '-D stat' debugging option turned on, 'find -L' determined the
SELinux context information as if the -L (or -H) option was not given:

  $ strace -ve getxattr,lgetxattr find -L . -maxdepth 0 -printf '%Z:%p\n'
  getxattr(".", "security.selinux", 0x55b29a2b2d40, 255) = -1 ENODATA (No data available)
  ...

  $ strace -ve getxattr,lgetxattr find -D stat -L . -maxdepth 0 -printf '%Z:%p\n'
  lgetxattr(".", "security.selinux", 0x5649c91d8d40, 255) = -1 ENODATA (No data available)
  ...

* find/parser.c (set_follow_state): Move the DebugStat handling after
the switch statement, thus eliminating the if/else.

Bug present since adding the SELinux implementation in v4.5.5-42-g1a05af6a.
---
 NEWS          |  6 ++++++
 find/parser.c | 49 ++++++++++++++++++++++++-------------------------
 2 files changed, 30 insertions(+), 25 deletions(-)

diff --git a/NEWS b/NEWS
index 02c1c55d..046eaddb 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,12 @@ GNU findutils NEWS - User visible changes.      -*- outline -*- (allout)
   update now skips (fuse-mounted) s3fs filesystems by default,
   i.e., unless PRUNEFS is set.
 
+** Bug Fixes
+
+  'find -D stat -L ...' no longer determines SELinux security information as
+  if the -L option was not given.
+  [Bug present since the SELinux implementation in 4.5.6]
+
 ** Documentation Changes
 
   The find.1 man page and the Texinfo manual now show environment variables
diff --git a/find/parser.c b/find/parser.c
index f5d100a2..454764f3 100644
--- a/find/parser.c
+++ b/find/parser.c
@@ -503,6 +503,30 @@ get_stat_Ytime (const struct stat *p,
 void
 set_follow_state (enum SymlinkOption opt)
 {
+  switch (opt)
+    {
+    case SYMLINK_ALWAYS_DEREF:  /* -L */
+      options.xstat = optionl_stat;
+      options.x_getfilecon = optionl_getfilecon;
+      options.no_leaf_check = true;
+      break;
+
+    case SYMLINK_NEVER_DEREF:	/* -P (default) */
+      options.xstat = optionp_stat;
+      options.x_getfilecon = optionp_getfilecon;
+      /* Can't turn no_leaf_check off because the user might have specified
+       * -noleaf anyway
+       */
+      break;
+
+    case SYMLINK_DEREF_ARGSONLY: /* -H */
+      options.xstat = optionh_stat;
+      options.x_getfilecon = optionh_getfilecon;
+      options.no_leaf_check = true;
+    }
+
+  options.symlink_handling = opt;
+
   if (options.debug_options & DebugStat)
     {
       /* For DebugStat, the choice is made at runtime within debug_stat()
@@ -510,31 +534,6 @@ set_follow_state (enum SymlinkOption opt)
        */
       options.xstat = debug_stat;
     }
-  else
-    {
-      switch (opt)
-	{
-	case SYMLINK_ALWAYS_DEREF:  /* -L */
-	  options.xstat = optionl_stat;
-	  options.x_getfilecon = optionl_getfilecon;
-	  options.no_leaf_check = true;
-	  break;
-
-	case SYMLINK_NEVER_DEREF:	/* -P (default) */
-	  options.xstat = optionp_stat;
-	  options.x_getfilecon = optionp_getfilecon;
-	  /* Can't turn no_leaf_check off because the user might have specified
-	   * -noleaf anyway
-	   */
-	  break;
-
-	case SYMLINK_DEREF_ARGSONLY: /* -H */
-	  options.xstat = optionh_stat;
-	  options.x_getfilecon = optionh_getfilecon;
-	  options.no_leaf_check = true;
-	}
-    }
-  options.symlink_handling = opt;
 }
 
 
-- 
cgit v1.2.1