diff options
| author | Christian Göttsche <cgzones@googlemail.com> | 2020-01-28 20:16:48 +0100 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2020-02-10 16:49:01 +0100 |
| commit | 7470d0d13fb680bb82b40f18831f7d4ee7a4bb62 (patch) | |
| tree | d39d3d44ae8407d80d2751b83ee6680d7dc4f45c /security/selinux/hooks.c | |
| parent | selinux: simplify evaluate_cond_node() (diff) | |
| download | linux-7470d0d13fb680bb82b40f18831f7d4ee7a4bb62.tar.xz linux-7470d0d13fb680bb82b40f18831f7d4ee7a4bb62.zip | |
selinux: allow kernfs symlinks to inherit parent directory context
Currently symlinks on kernel filesystems, like sysfs, are labeled on
creation with the parent filesystem root sid.
Allow symlinks to inherit the parent directory context, so fine-grained
kernfs labeling can be applied to symlinks too and checking contexts
doesn't complain about them.
For backward-compatibility this behavior is contained in a new policy
capability: genfs_seclabel_symlinks
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d7762264f262..7c37cdb3aba0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1478,7 +1478,9 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent /* Default to the fs superblock SID. */ sid = sbsec->sid; - if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { + if ((sbsec->flags & SE_SBGENFS) && + (!S_ISLNK(inode->i_mode) || + selinux_policycap_genfs_seclabel_symlinks())) { /* We must have a dentry to determine the label on * procfs inodes */ if (opt_dentry) { |