On Tue, Jul 5, 2016 at 11:50 AM, Vivek Goyal <vgoyal@xxxxxxxxxx> wrote: > Provide a security hook which is called when xattrs of a file are being > copied up. This hook is called once for each xattr and one can either > accept or reject xattr. If 0 is returned, xattr will be copied up, if 1 > is returned, xattr will not be copied up and if negative error code > is returned, copy up will be aborted. > > In SELinux, label of lower file is not copied up. File already has been > set with right label at the time of creation and we don't want to overwrite > that label. > > Signed-off-by: David Howells <dhowells@xxxxxxxxxx> > Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx> > --- > fs/overlayfs/copy_up.c | 8 ++++++++ > include/linux/lsm_hooks.h | 13 +++++++++++++ > include/linux/security.h | 10 ++++++++++ > security/security.c | 9 +++++++++ > security/selinux/hooks.c | 14 ++++++++++++++ > 5 files changed, 54 insertions(+) To continue the earlier feedback about mixing generic LSM hook definitions with the SELinux specific hook implementations - I prefer to see patchsets organized in the following manner: [PATCH 1/X] - add new LSM hooks and the calls from the relevant subsystems, e.g. {security/security.c,include/linux/security.h,fs/overlayfs/*} [PATCH 2/X] - LSM specific hook implementation, e.g. security/selinux/* [PATCH n/X] - LSM specific hook implementation, e.g. security/smack/* -- paul moore security @ redhat -- To unsubscribe from this list: send the line "unsubscribe linux-unionfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html