mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-08-24 09:50:04 +00:00
selinux: fix regression introduced by move_mount(2) syscall
commit98aa00345d
upstream. commit2db154b3ea
("vfs: syscall: Add move_mount(2) to move mounts around") introduced a new move_mount(2) system call and a corresponding new LSM security_move_mount hook but did not implement this hook for any existing LSM. This creates a regression for SELinux with respect to consistent checking of mounts; the existing selinux_mount hook checks mounton permission to the mount point path. Provide a SELinux hook implementation for move_mount that applies this same check for consistency. In the future we may wish to add a new move_mount filesystem permission and check as well, but this addresses the immediate regression. Fixes:2db154b3ea
("vfs: syscall: Add move_mount(2) to move mounts around") Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
3b2e595dfe
commit
875e01dd8a
1 changed files with 10 additions and 0 deletions
|
@ -2766,6 +2766,14 @@ static int selinux_mount(const char *dev_name,
|
|||
return path_has_perm(cred, path, FILE__MOUNTON);
|
||||
}
|
||||
|
||||
static int selinux_move_mount(const struct path *from_path,
|
||||
const struct path *to_path)
|
||||
{
|
||||
const struct cred *cred = current_cred();
|
||||
|
||||
return path_has_perm(cred, to_path, FILE__MOUNTON);
|
||||
}
|
||||
|
||||
static int selinux_umount(struct vfsmount *mnt, int flags)
|
||||
{
|
||||
const struct cred *cred = current_cred();
|
||||
|
@ -6835,6 +6843,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
|
|||
LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
|
||||
LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
|
||||
|
||||
LSM_HOOK_INIT(move_mount, selinux_move_mount),
|
||||
|
||||
LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
|
||||
LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
|
||||
|
||||
|
|
Loading…
Reference in a new issue