Google Git
Sign in
linux/linux/kernel/git/dhowells/linux-fs/80099d9fa314e607258bf04fb1514a7806721eb3
commit
80099d9fa314e607258bf04fb1514a7806721eb3
[log]
author
David Howells <dhowells@redhat.com>
Thu Sep 17 17:10:53 2015 +0100
committer
David Howells <dhowells@redhat.com>
Mon Sep 28 15:50:15 2015 +0100
tree
e19191889958989fc145af04cf7b7c40117ea3fc
parent
d6c9dc38481155eac236fcaa76833a4d0ac6bf2f [diff]
SELinux: Handle opening of a unioned file

Handle the opening of a unioned file by trying to derive the label that would
be attached to the union-layer inode if it doesn't exist.

If the union-layer inode does exist (as it necessarily does in overlayfs, but
not in unionmount), we assume that it has the right label and use that.
Otherwise we try to get it from the superblock.

If the superblock has a globally-applied label, we use that, otherwise we try
to transition to an appropriate label.  This union label is then stored in the
file_security_struct.

We then perform an additional check to make sure that the calling task is
granted permission by the union-layer inode label to open the file in addition
to a check to make sure that the task is granted permission to open the lower
file with the lower inode label.

Signed-off-by: David Howells <dhowells@redhat.com>
2 files changed
tree: e19191889958989fc145af04cf7b7c40117ea3fc
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .get_maintainer.ignore
  24. .gitignore
  25. .mailmap
  26. COPYING
  27. CREDITS
  28. Kbuild
  29. Kconfig
  30. MAINTAINERS
  31. Makefile
  32. README
  33. REPORTING-BUGS