diff options
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 35 |
1 files changed, 26 insertions, 9 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f3b54466a037..6149633ff715 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -81,6 +81,7 @@ | |||
| 81 | #include <linux/syslog.h> | 81 | #include <linux/syslog.h> |
| 82 | #include <linux/user_namespace.h> | 82 | #include <linux/user_namespace.h> |
| 83 | #include <linux/export.h> | 83 | #include <linux/export.h> |
| 84 | #include <linux/security.h> | ||
| 84 | #include <linux/msg.h> | 85 | #include <linux/msg.h> |
| 85 | #include <linux/shm.h> | 86 | #include <linux/shm.h> |
| 86 | 87 | ||
| @@ -284,13 +285,14 @@ static void superblock_free_security(struct super_block *sb) | |||
| 284 | 285 | ||
| 285 | /* The file system's label must be initialized prior to use. */ | 286 | /* The file system's label must be initialized prior to use. */ |
| 286 | 287 | ||
| 287 | static const char *labeling_behaviors[6] = { | 288 | static const char *labeling_behaviors[7] = { |
| 288 | "uses xattr", | 289 | "uses xattr", |
| 289 | "uses transition SIDs", | 290 | "uses transition SIDs", |
| 290 | "uses task SIDs", | 291 | "uses task SIDs", |
| 291 | "uses genfs_contexts", | 292 | "uses genfs_contexts", |
| 292 | "not configured for labeling", | 293 | "not configured for labeling", |
| 293 | "uses mountpoint labeling", | 294 | "uses mountpoint labeling", |
| 295 | "uses native labeling", | ||
| 294 | }; | 296 | }; |
| 295 | 297 | ||
| 296 | static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); | 298 | static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); |
| @@ -678,14 +680,21 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
| 678 | if (strcmp(sb->s_type->name, "proc") == 0) | 680 | if (strcmp(sb->s_type->name, "proc") == 0) |
| 679 | sbsec->flags |= SE_SBPROC; | 681 | sbsec->flags |= SE_SBPROC; |
| 680 | 682 | ||
| 681 | /* Determine the labeling behavior to use for this filesystem type. */ | 683 | if (!sbsec->behavior) { |
| 682 | rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); | 684 | /* |
| 683 | if (rc) { | 685 | * Determine the labeling behavior to use for this |
| 684 | printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", | 686 | * filesystem type. |
| 685 | __func__, sb->s_type->name, rc); | 687 | */ |
| 686 | goto out; | 688 | rc = security_fs_use((sbsec->flags & SE_SBPROC) ? |
| 689 | "proc" : sb->s_type->name, | ||
| 690 | &sbsec->behavior, &sbsec->sid); | ||
| 691 | if (rc) { | ||
| 692 | printk(KERN_WARNING | ||
| 693 | "%s: security_fs_use(%s) returned %d\n", | ||
| 694 | __func__, sb->s_type->name, rc); | ||
| 695 | goto out; | ||
| 696 | } | ||
| 687 | } | 697 | } |
| 688 | |||
| 689 | /* sets the context of the superblock for the fs being mounted. */ | 698 | /* sets the context of the superblock for the fs being mounted. */ |
| 690 | if (fscontext_sid) { | 699 | if (fscontext_sid) { |
| 691 | rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); | 700 | rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); |
| @@ -700,6 +709,11 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
| 700 | * sets the label used on all file below the mountpoint, and will set | 709 | * sets the label used on all file below the mountpoint, and will set |
| 701 | * the superblock context if not already set. | 710 | * the superblock context if not already set. |
| 702 | */ | 711 | */ |
| 712 | if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { | ||
| 713 | sbsec->behavior = SECURITY_FS_USE_NATIVE; | ||
| 714 | *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; | ||
| 715 | } | ||
| 716 | |||
| 703 | if (context_sid) { | 717 | if (context_sid) { |
| 704 | if (!fscontext_sid) { | 718 | if (!fscontext_sid) { |
| 705 | rc = may_context_mount_sb_relabel(context_sid, sbsec, | 719 | rc = may_context_mount_sb_relabel(context_sid, sbsec, |
| @@ -731,7 +745,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
| 731 | } | 745 | } |
| 732 | 746 | ||
| 733 | if (defcontext_sid) { | 747 | if (defcontext_sid) { |
| 734 | if (sbsec->behavior != SECURITY_FS_USE_XATTR) { | 748 | if (sbsec->behavior != SECURITY_FS_USE_XATTR && |
| 749 | sbsec->behavior != SECURITY_FS_USE_NATIVE) { | ||
| 735 | rc = -EINVAL; | 750 | rc = -EINVAL; |
| 736 | printk(KERN_WARNING "SELinux: defcontext option is " | 751 | printk(KERN_WARNING "SELinux: defcontext option is " |
| 737 | "invalid for this filesystem type\n"); | 752 | "invalid for this filesystem type\n"); |
| @@ -1230,6 +1245,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
| 1230 | } | 1245 | } |
| 1231 | 1246 | ||
| 1232 | switch (sbsec->behavior) { | 1247 | switch (sbsec->behavior) { |
| 1248 | case SECURITY_FS_USE_NATIVE: | ||
| 1249 | break; | ||
| 1233 | case SECURITY_FS_USE_XATTR: | 1250 | case SECURITY_FS_USE_XATTR: |
| 1234 | if (!inode->i_op->getxattr) { | 1251 | if (!inode->i_op->getxattr) { |
| 1235 | isec->sid = sbsec->def_sid; | 1252 | isec->sid = sbsec->def_sid; |