From af4150e872da5c8550d70557c2577a6db8d7d34f Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Wed, 13 Jul 2016 10:44:50 -0400 Subject: [PATCH] selinux: Implementation for inode_copy_up_xattr() hook When a file is copied up in overlay, we have already created file on upper/ with right label and there is no need to copy up selinux label/xattr from lower file to upper file. In fact in case of context mount, we don't want to copy up label as newly created file got its label from context= option. Signed-off-by: Vivek Goyal Acked-by: Stephen Smalley Signed-off-by: Paul Moore Orabug: 25684456 (backport upstream commit 19472b69d639d58415866bf127d5f9005038c105) Signed-off-by: Anand Jain Acked-by: James Morris Reviewed-by: James Morris --- security/selinux/hooks.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 08384b887bb0..c4470b11c214 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3224,6 +3224,21 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) return 0; } +static int selinux_inode_copy_up_xattr(const char *name) +{ + /* The copy_up hook above sets the initial context on an inode, but we + * don't then want to overwrite it by blindly copying all the lower + * xattrs up. Instead, we have to filter out SELinux-related xattrs. + */ + if (strcmp(name, XATTR_NAME_SELINUX) == 0) + return 1; /* Discard */ + /* + * Any other attribute apart from SELINUX is not claimed, supported + * by selinux. + */ + return -EOPNOTSUPP; +} + /* file security operations */ static int selinux_revalidate_file_permission(struct file *file, int mask) @@ -5943,6 +5958,7 @@ static struct security_operations selinux_ops = { .inode_listsecurity = selinux_inode_listsecurity, .inode_getsecid = selinux_inode_getsecid, .inode_copy_up = selinux_inode_copy_up, + .inode_copy_up_xattr = selinux_inode_copy_up_xattr, .file_permission = selinux_file_permission, .file_alloc_security = selinux_file_alloc_security, -- 2.50.1