[PATCH] selinux: disable setxattr on mountpoint labeled filesystems
This patch disables the setting of SELinux xattrs on files created in filesystems labeled via mountpoint labeling (mounted with the context= option). selinux_inode_setxattr already prevents explicit setxattr from userspace on such filesystems, so this provides consistent behavior for file creation. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
e517a0cd85
commit
25a74f3ba8
@ -1986,6 +1986,9 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
|
||||
|
||||
inode_security_set_sid(inode, newsid);
|
||||
|
||||
if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
if (name) {
|
||||
namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
|
||||
if (!namep)
|
||||
|
Loading…
Reference in New Issue
Block a user