SELinux (and maybe other security frameworks) relies on inode->i_security field
to perform audit of security contexts.
I think this field must be the same as the underlying filesystem, instead of
creating new fresh one at ovl_new_inode() which give an UNLABELED sid.
The issue rised when certain process (for instance Zygote) fails to perform
some actions (for instance getxattr) on Android using SEAndroid and overlyafs
with empty uppdir mounted on /system, but it succeeds in case there is not
overlayfs.
Signed-off-by: Zakaria ElQotbi <zakaria.elqotbi@xxxxxxxxxxx>
---
fs/overlayfs/overlayfs.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
index 3495a55..d28023a 100644
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@@ -60,6 +60,9 @@ static inline void ovl_copyattr(struct inode *from, struct inode *to)
{
to->i_uid = from->i_uid;
to->i_gid = from->i_gid;
+#ifdef CONFIG_SECURITY
+ to->i_security = from->i_security;
+#endif
}
/* dir.c */
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
