File operations (eg. read, write) issued against a file that is attached to the lower layer of a union file needs to be checked against the union-layer label as well as the lower-layer label. Signed-off-by: David Howells <dhowells@xxxxxxxxxx> --- security/selinux/hooks.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 57f9c641779f..7084ccb1321c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1673,6 +1673,7 @@ static int file_has_perm(const struct cred *cred, struct file *file, u32 av) { + struct inode_security_struct *isec; struct file_security_struct *fsec = file->f_security; struct inode *inode = file_inode(file); struct common_audit_data ad; @@ -1681,7 +1682,7 @@ static int file_has_perm(const struct cred *cred, ad.type = LSM_AUDIT_DATA_PATH; ad.u.path = file->f_path; - + if (sid != fsec->sid) { rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, @@ -1693,8 +1694,15 @@ static int file_has_perm(const struct cred *cred, /* av is zero if only checking access to the descriptor. */ rc = 0; - if (av) - rc = inode_has_perm(cred, inode, av, &ad); + if (av && likely(!IS_PRIVATE(inode))) { + if (fsec->union_isid) { + isec = inode->i_security; + rc = avc_has_perm(sid, fsec->union_isid, isec->sclass, + av, &ad); + } + if (!rc) + rc = inode_has_perm(cred, inode, av, &ad); + } out: return rc; -- To unsubscribe from this list: send the line "unsubscribe linux-unionfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html