- fix-security-check-for-joint-context=-and-fscontext=-mount.patch removed from -mm tree

akpm@xxxxxxxx · Sat, 15 Jul 2006 22:07:16 -0700

The patch titled

     Fix security check for joint context= and fscontext= mount options

has been removed from the -mm tree.  Its filename is

     fix-security-check-for-joint-context=-and-fscontext=-mount.patch

This patch was dropped because it was merged into mainline or a subsystem tree

------------------------------------------------------
Subject: Fix security check for joint context= and fscontext= mount options
From: Eric Paris <eparis@xxxxxxxxxxxxxx>

After some discussion on the actual meaning of the filesystem class
security check in try context mount it was determined that the checks for
the context= mount options were not correct if fscontext mount option had
already been used.

When labeling the superblock we should be checking relabel_from and
relabel_to.  But if the superblock has already been labeled (with
fscontext) then context= is actually labeling the inodes, and so we should
be checking relabel_from and associate.  This patch fixes which checks are
called depending on the mount options.

Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
Acked-by: James Morris <jmorris@xxxxxxxxx>
Cc: Chris Wright <chrisw@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---

 security/selinux/hooks.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff -puN security/selinux/hooks.c~fix-security-check-for-joint-context=-and-fscontext=-mount security/selinux/hooks.c

--- a/security/selinux/hooks.c~fix-security-check-for-joint-context=-and-fscontext=-mount
+++ a/security/selinux/hooks.c
@@ -523,12 +523,16 @@ static int try_context_mount(struct supe
 			goto out_free;
 		}
 
-		rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
-		if (rc)
-			goto out_free;
-
-		if (!fscontext)
+		if (!fscontext) {
+			rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
+			if (rc)
+				goto out_free;
 			sbsec->sid = sid;
+		} else {
+			rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
+			if (rc)
+				goto out_free;
+		}
 		sbsec->mntpoint_sid = sid;
 
 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
_

Patches currently in -mm which might be from eparis@xxxxxxxxxxxxxx are


-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




