[PATCH 6/7] SELinux: The copy-up operation must have read permission on the lower file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The copy-up operation must have read permission on the lower file for the task
that caused the copy-up.  This helps prevent overlayfs from being used to
access something it shouldn't.

Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
---

 security/selinux/hooks.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f43f07fdc028..57f9c641779f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3144,7 +3144,8 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
 
 static int selinux_inode_copy_up(struct dentry *src, struct dentry *dst)
 {
-	return 0;
+	const struct cred *cred = current_cred();
+	return dentry_has_perm(cred, src, FILE__OPEN | FILE__READ);
 }
 
 static int selinux_inode_copy_up_xattr(struct dentry *src, struct dentry *dst,

--
To unsubscribe from this list: send the line "unsubscribe linux-unionfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Filesystems Devel]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux