summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2005-11-08 21:34:33 -0800
committerLinus Torvalds <torvalds@g5.osdl.org>2005-11-09 07:55:51 -0800
commit25a74f3ba8efb394e9a30d6de37566bf03fd3de8 (patch)
tree8fbe98b01a13946c02a56ab7bab2c4ed077aee3f
parente517a0cd859ae0c4d9451107113fc2b076456f8f (diff)
[PATCH] selinux: disable setxattr on mountpoint labeled filesystems
This patch disables the setting of SELinux xattrs on files created in filesystems labeled via mountpoint labeling (mounted with the context= option). selinux_inode_setxattr already prevents explicit setxattr from userspace on such filesystems, so this provides consistent behavior for file creation. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--security/selinux/hooks.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 45c41490d521..fc774436a264 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1986,6 +1986,9 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
inode_security_set_sid(inode, newsid);
+ if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
+ return -EOPNOTSUPP;
+
if (name) {
namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
if (!namep)