SELinux: Check against union label for file operations
File operations (eg. read, write) issued against a file that is attached to
the lower layer of a union file needs to be checked against the union-layer
label not the lower layer label.
The union label is stored in the file_security_struct rather than being
retrieved from one of the inodes.
Signed-off-by: David Howells <dhowells@redhat.com>
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 522b070..ecc883b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1682,6 +1682,7 @@
struct file *file,
u32 av)
{
+ struct inode_security_struct *isec;
struct file_security_struct *fsec = file->f_security;
struct inode *inode = file_inode(file);
struct common_audit_data ad;
@@ -1702,8 +1703,15 @@
/* av is zero if only checking access to the descriptor. */
rc = 0;
- if (av)
- rc = inode_has_perm(cred, inode, av, &ad);
+ if (av && likely(!IS_PRIVATE(inode))) {
+ if (fsec->union_isid) {
+ isec = inode->i_security;
+ rc = avc_has_perm(sid, fsec->union_isid, isec->sclass,
+ av, &ad);
+ }
+ if (!rc)
+ rc = inode_has_perm(cred, inode, av, &ad);
+ }
out:
return rc;
