Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Sep 24, 2020. It is now read-only.

Rebase CoreOS patches onto Linux v4.7.3 #23

Merged
merged 20 commits into from
Oct 20, 2016
Merged

Rebase CoreOS patches onto Linux v4.7.3 #23

Changes from 1 commit
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
c917a74
Add secure_modules() call
Aug 9, 2013
b7c35e1
PCI: Lock down BAR access when module security is enabled
Mar 8, 2012
207ae22
x86: Lock down IO port access when module security is enabled
Mar 8, 2012
1aab763
ACPI: Limit access to custom_method
Mar 9, 2012
fb3204b
asus-wmi: Restrict debugfs interface when module loading is restricted
Mar 9, 2012
9f4551c
Restrict /dev/mem and /dev/kmem when module loading is restricted
Mar 9, 2012
184434f
acpi: Ignore acpi_rsdp kernel parameter when module loading is restri…
jwboyer Jun 25, 2012
26b84d2
kexec: Disable at runtime if the kernel enforces module loading restr…
Nov 20, 2015
7e1bafd
x86: Restrict MSR access when module loading is restricted
Feb 8, 2013
2bcdc21
Add option to automatically enforce module signatures when in Secure …
Aug 9, 2013
6598ab6
efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
Aug 27, 2013
a7dbe47
efi: Add EFI_SECURE_BOOT bit
Aug 27, 2013
1e08cbc
hibernate: Disable in a signed modules environment
Jun 20, 2014
7dccfd0
Security: Provide copy-up security hooks for unioned files
dhowells Jun 16, 2015
bf11f2c
Overlayfs: Use copy-up security hooks
dhowells Jun 16, 2015
b955fb5
SELinux: Stub in copy-up handling
dhowells Jun 16, 2015
e052832
SELinux: Handle opening of a unioned file
dhowells Jun 16, 2015
fa7ef4a
SELinux: Check against union label for file operations
dhowells Jun 16, 2015
c3685bb
kbuild: derive relative path for KBUILD_SRC from CURDIR
Nov 25, 2015
9bea0f0
Don't verify write permissions on lower inodes on overlayfs
Dec 22, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
SELinux: Check against union label for file operations 
File operations (eg. read, write) issued against a file that is attached to
the lower layer of a union file needs to be checked against the union-layer
label not the lower layer label.

The union label is stored in the file_security_struct rather than being
retrieved from one of the inodes.

Signed-off-by: David Howells <[email protected]>
  • Loading branch information
@dhowells @crawford
dhowells authored and crawford committed Oct 20, 2016
commit fa7ef4a7c655d864f6931ea08a1aca7d1abffeee
12 changes: 10 additions & 2 deletions security/selinux/hooks.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1755,6 +1755,7 @@ static int file_has_perm(const struct cred *cred,
struct file *file,
u32 av)
{
struct inode_security_struct *isec;
struct file_security_struct *fsec = file->f_security;
struct inode *inode = file_inode(file);
struct common_audit_data ad;
Expand All @@ -1775,8 +1776,15 @@ static int file_has_perm(const struct cred *cred,

/* av is zero if only checking access to the descriptor. */
rc = 0;
if (av)
rc = inode_has_perm(cred, inode, av, &ad);
if (av && likely(!IS_PRIVATE(inode))) {
if (fsec->union_isid) {
isec = inode->i_security;
rc = avc_has_perm(sid, fsec->union_isid, isec->sclass,
av, &ad);
}
if (!rc)
rc = inode_has_perm(cred, inode, av, &ad);
}

out:
return rc;
Expand Down