diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2020-01-17 15:24:07 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-02-14 16:34:19 -0500 |
| commit | 875e01dd8a972115b58589e4715dec046eb51c0f (patch) | |
| tree | 86fa57a1fe3afa5f9f9290408de6e74f17261297 /security | |
| parent | 3b2e595dfe2bbbedee5cf2298739d9b6663e7d6d (diff) | |
| download | linux-stable-875e01dd8a972115b58589e4715dec046eb51c0f.tar.gz linux-stable-875e01dd8a972115b58589e4715dec046eb51c0f.tar.bz2 linux-stable-875e01dd8a972115b58589e4715dec046eb51c0f.zip | |
selinux: fix regression introduced by move_mount(2) syscall
commit 98aa00345de54b8340dc2ddcd87f446d33387b5e upstream.
commit 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around")
introduced a new move_mount(2) system call and a corresponding new LSM
security_move_mount hook but did not implement this hook for any existing
LSM. This creates a regression for SELinux with respect to consistent
checking of mounts; the existing selinux_mount hook checks mounton
permission to the mount point path. Provide a SELinux hook
implementation for move_mount that applies this same check for
consistency. In the future we may wish to add a new move_mount
filesystem permission and check as well, but this addresses
the immediate regression.
Fixes: 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around")
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/hooks.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 994353945790..0426ce3c19e9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2766,6 +2766,14 @@ static int selinux_mount(const char *dev_name, return path_has_perm(cred, path, FILE__MOUNTON); } +static int selinux_move_mount(const struct path *from_path, + const struct path *to_path) +{ + const struct cred *cred = current_cred(); + + return path_has_perm(cred, to_path, FILE__MOUNTON); +} + static int selinux_umount(struct vfsmount *mnt, int flags) { const struct cred *cred = current_cred(); @@ -6835,6 +6843,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt), + LSM_HOOK_INIT(move_mount, selinux_move_mount), + LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), |