On Tue, 5 Oct 2010, Roberto Sassu wrote: > Ecryptfs is a stackable filesystem which relies on lower filesystems the > ability of setting/getting extended attributes. > > If there is a security module enabled on the system it updates the > 'security' field of inodes according to the owned extended attribute set > with the function vfs_setxattr(). When this function is performed on a > ecryptfs filesystem the 'security' field is not updated for the lower > filesystem since the call security_inode_post_setxattr() is missing for > the lower inode. > Further, the call security_inode_setxattr() is missing for the lower inode, > leading to policy violations in the security module because specific > checks for this hook are not performed (i. e. filesystem > 'associate' permission on SELinux is not checked for the lower filesystem). > > This patch replaces the call of the setxattr() method of the lower inode > in the function ecryptfs_setxattr() with vfs_setxattr(). > > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxx> > Reviewed-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxx> Acked-by: James Morris <jmorris@xxxxxxxxx> -- James Morris <jmorris@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
