diff options
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e4b953f760dd..e32f4b5f23a5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -834,10 +834,14 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
| 834 | } | 834 | } |
| 835 | 835 | ||
| 836 | /* | 836 | /* |
| 837 | * If this is a user namespace mount, no contexts are allowed | 837 | * If this is a user namespace mount and the filesystem type is not |
| 838 | * on the command line and security labels must be ignored. | 838 | * explicitly whitelisted, then no contexts are allowed on the command |
| 839 | * line and security labels must be ignored. | ||
| 839 | */ | 840 | */ |
| 840 | if (sb->s_user_ns != &init_user_ns) { | 841 | if (sb->s_user_ns != &init_user_ns && |
| 842 | strcmp(sb->s_type->name, "tmpfs") && | ||
| 843 | strcmp(sb->s_type->name, "ramfs") && | ||
| 844 | strcmp(sb->s_type->name, "devpts")) { | ||
| 841 | if (context_sid || fscontext_sid || rootcontext_sid || | 845 | if (context_sid || fscontext_sid || rootcontext_sid || |
| 842 | defcontext_sid) { | 846 | defcontext_sid) { |
| 843 | rc = -EACCES; | 847 | rc = -EACCES; |