selinux: Implementation for inode_copy_up_xattr() hook
When a file is copied up in overlay, we have already created file on upper/ with right label and there is no need to copy up selinux label/xattr from lower file to upper file. In fact in case of context mount, we don't want to copy up label as newly created file got its label from context= option. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
121ab822ef
commit
19472b69d6
@ -3313,6 +3313,21 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int selinux_inode_copy_up_xattr(const char *name)
|
||||
{
|
||||
/* The copy_up hook above sets the initial context on an inode, but we
|
||||
* don't then want to overwrite it by blindly copying all the lower
|
||||
* xattrs up. Instead, we have to filter out SELinux-related xattrs.
|
||||
*/
|
||||
if (strcmp(name, XATTR_NAME_SELINUX) == 0)
|
||||
return 1; /* Discard */
|
||||
/*
|
||||
* Any other attribute apart from SELINUX is not claimed, supported
|
||||
* by selinux.
|
||||
*/
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
/* file security operations */
|
||||
|
||||
static int selinux_revalidate_file_permission(struct file *file, int mask)
|
||||
@ -6109,6 +6124,7 @@ static struct security_hook_list selinux_hooks[] = {
|
||||
LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
|
||||
LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
|
||||
LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
|
||||
LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
|
||||
|
||||
LSM_HOOK_INIT(file_permission, selinux_file_permission),
|
||||
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
|
||||
|
Loading…
Reference in New Issue
Block a user