Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Sep 24, 2020. It is now read-only.

Rebase CoreOS patches onto Linux v4.7 #19

Merged
merged 20 commits into from
Jul 26, 2016
Merged

Rebase CoreOS patches onto Linux v4.7 #19

Changes from 1 commit
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
56c7486
Add secure_modules() call
Aug 9, 2013
a092193
PCI: Lock down BAR access when module security is enabled
Mar 8, 2012
665de4d
x86: Lock down IO port access when module security is enabled
Mar 8, 2012
ec9e1e7
ACPI: Limit access to custom_method
Mar 9, 2012
25b3c5a
asus-wmi: Restrict debugfs interface when module loading is restricted
Mar 9, 2012
30af349
Restrict /dev/mem and /dev/kmem when module loading is restricted
Mar 9, 2012
5fc1532
acpi: Ignore acpi_rsdp kernel parameter when module loading is restri…
jwboyer Jun 25, 2012
bd55d2c
kexec: Disable at runtime if the kernel enforces module loading restr…
Nov 20, 2015
6a2ebbb
x86: Restrict MSR access when module loading is restricted
Feb 8, 2013
23b33d6
Add option to automatically enforce module signatures when in Secure …
Aug 9, 2013
d1431fc
efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
Aug 27, 2013
735f74a
efi: Add EFI_SECURE_BOOT bit
Aug 27, 2013
d0c5883
hibernate: Disable in a signed modules environment
Jun 20, 2014
cf7c941
Security: Provide copy-up security hooks for unioned files
dhowells Jun 16, 2015
08ff141
Overlayfs: Use copy-up security hooks
dhowells Jun 16, 2015
5010e47
SELinux: Stub in copy-up handling
dhowells Jun 16, 2015
9f1a7fa
SELinux: Handle opening of a unioned file
dhowells Jun 16, 2015
4d31663
SELinux: Check against union label for file operations
dhowells Jun 16, 2015
7c61363
kbuild: derive relative path for KBUILD_SRC from CURDIR
Nov 25, 2015
8a81012
Don't verify write permissions on lower inodes on overlayfs
Dec 22, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
SELinux: Stub in copy-up handling 
Provide stubs for union/overlay copy-up handling.  The xattr copy up stub
discards lower SELinux xattrs rather than letting them be copied up so that
the security label on the copy doesn't get corrupted.

Signed-off-by: David Howells <[email protected]>
  • Loading branch information
@dhowells @crawford
dhowells authored and crawford committed Jul 26, 2016
commit 5010e474dd5f54f95f54f5ac6d86085084148aca
20 changes: 20 additions & 0 deletions security/selinux/hooks.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3270,6 +3270,24 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
*secid = isec->sid;
}

static int selinux_inode_copy_up(struct dentry *src, struct dentry *dst)
{
return 0;
}

static int selinux_inode_copy_up_xattr(struct dentry *src, struct dentry *dst,
const char *name, void *value,
size_t *size)
{
/* The copy_up hook above sets the initial context on an inode, but we
* don't then want to overwrite it by blindly copying all the lower
* xattrs up. Instead, we have to filter out SELinux-related xattrs.
*/
if (strcmp(name, XATTR_NAME_SELINUX) == 0)
return 1; /* Discard */
return 0;
}

/* file security operations */

static int selinux_revalidate_file_permission(struct file *file, int mask)
Expand Down Expand Up @@ -6056,6 +6074,8 @@ static struct security_hook_list selinux_hooks[] = {
LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),

LSM_HOOK_INIT(file_permission, selinux_file_permission),
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
Expand Down