]> git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/commitdiff
projects / mirror_ubuntu-focal-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 41d5ff4)
selinux: fix regression introduced by move_mount(2) syscall
authorStephen Smalley <sds@tycho.nsa.gov>
Fri, 17 Jan 2020 20:24:07 +0000 (15:24 -0500)
committerPaolo Pisati <paolo.pisati@canonical.com>
Mon, 17 Feb 2020 11:37:07 +0000 (12:37 +0100)
BugLink: https://bugs.launchpad.net/bugs/1863589
commit 98aa00345de54b8340dc2ddcd87f446d33387b5e upstream.

commit 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around")
introduced a new move_mount(2) system call and a corresponding new LSM
security_move_mount hook but did not implement this hook for any existing
LSM.  This creates a regression for SELinux with respect to consistent
checking of mounts; the existing selinux_mount hook checks mounton
permission to the mount point path.  Provide a SELinux hook
implementation for move_mount that applies this same check for
consistency.  In the future we may wish to add a new move_mount
filesystem permission and check as well, but this addresses
the immediate regression.

Fixes: 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around")
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
security/selinux/hooks.c patch | blob | blame | history

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a6ca53681db07ed97ace2978aacd79dd746d2307..7840e046a2cab1dad29244b7a185e5c199723790 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2766,6 +2766,14 @@ static int selinux_mount(const char *dev_name,
                return path_has_perm(cred, path, FILE__MOUNTON);
 }
 
+static int selinux_move_mount(const struct path *from_path,
+                             const struct path *to_path)
+{
+       const struct cred *cred = current_cred();
+
+       return path_has_perm(cred, to_path, FILE__MOUNTON);
+}
+
 static int selinux_umount(struct vfsmount *mnt, int flags)
 {
        const struct cred *cred = current_cred();
@@ -6831,6 +6839,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
        LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
 
+       LSM_HOOK_INIT(move_mount, selinux_move_mount),
+
        LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
        LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
 
Ubuntu Focal Linux kernel mirror