[PATCH] Fix security check for joint context= and fscontext= mount options

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



After some discussion on the actual meaning of the filesystem class
security check in try context mount it was determined that the checks
for the context= mount options were not correct if fscontext mount
option had already been used.  When labeling the superblock we should be
checking relabel_from and relabel_to.  But if the superblock has already
been labeled (with fscontext) then context= is actually labeling the
inodes, and so we should be checking relabel_from and associate.  This
patch fixes which checks are called depending on the mount options.

This is issue is in 2.6.8-rc1-git4 and should probably be fixed before
2.6.18 releases.

Signed-off-by: Eric Paris <[email protected]>
Acked-by:  Stephen Smalley <[email protected]>
Acked-by: James Morris <[email protected]>

 security/selinux/hooks.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -523,12 +523,16 @@ static int try_context_mount(struct supe
 			goto out_free;
 		}
 
-		rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
-		if (rc)
-			goto out_free;
-
-		if (!fscontext)
+		if (!fscontext) {
+			rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
+			if (rc)
+				goto out_free;
 			sbsec->sid = sid;
+		} else {
+			rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
+			if (rc)
+				goto out_free;
+		}
 		sbsec->mntpoint_sid = sid;
 
 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux