From patchwork Mon Sep 28 20:01:13 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 7279741 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 106129F32B for ; Mon, 28 Sep 2015 20:01:39 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 4C939206DB for ; Mon, 28 Sep 2015 20:01:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 59290206D8 for ; Mon, 28 Sep 2015 20:01:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753284AbbI1UBW (ORCPT ); Mon, 28 Sep 2015 16:01:22 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49394 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753205AbbI1UBS (ORCPT ); Mon, 28 Sep 2015 16:01:18 -0400 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (Postfix) with ESMTPS id 482C1461D3; Mon, 28 Sep 2015 20:01:18 +0000 (UTC) Received: from warthog.procyon.org.uk ([10.3.112.5]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t8SK1DRn003708; Mon, 28 Sep 2015 16:01:14 -0400 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 5/5] SELinux: Check against union label for file operations From: David Howells To: linux-unionfs@vger.kernel.org, selinux@tycho.nsa.gov Cc: mjg59@srcf.ucam.org, dwalsh@redhat.com, linux-kernel@vger.kernel.org, eparis@redhat.com, dhowells@redhat.com, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, sds@tycho.nsa.gov Date: Mon, 28 Sep 2015 21:01:13 +0100 Message-ID: <20150928200113.8141.56806.stgit@warthog.procyon.org.uk> In-Reply-To: <20150928200018.8141.2982.stgit@warthog.procyon.org.uk> References: <20150928200018.8141.2982.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP File operations (eg. read, write) issued against a file that is attached to the lower layer of a union file needs to be checked against the union-layer label not the lower layer label. The union label is stored in the file_security_struct rather than being retrieved from one of the inodes. Signed-off-by: David Howells --- security/selinux/hooks.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 522b070d9e2b..ecc883b6d463 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1682,6 +1682,7 @@ static int file_has_perm(const struct cred *cred, struct file *file, u32 av) { + struct inode_security_struct *isec; struct file_security_struct *fsec = file->f_security; struct inode *inode = file_inode(file); struct common_audit_data ad; @@ -1702,8 +1703,15 @@ static int file_has_perm(const struct cred *cred, /* av is zero if only checking access to the descriptor. */ rc = 0; - if (av) - rc = inode_has_perm(cred, inode, av, &ad); + if (av && likely(!IS_PRIVATE(inode))) { + if (fsec->union_isid) { + isec = inode->i_security; + rc = avc_has_perm(sid, fsec->union_isid, isec->sclass, + av, &ad); + } + if (!rc) + rc = inode_has_perm(cred, inode, av, &ad); + } out: return rc;