SELinux: Check against union label for file operations

File operations (eg. read, write) issued against a file that is attached to the lower layer of a union file needs to be checked against the union-layer label not the lower layer label. The union label is stored in the file_security_struct rather than being retrieved from one of the inodes. Signed-off-by: David Howells <dhowells@redhat.com>
coreos · Oct 20, 2015 · ad85826 · ad85826
1 parent bfbf1fd
commit ad85826
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
@@ -1671,6 +1671,7 @@ static int file_has_perm(const struct cred *cred,
 			 struct file *file,
 			 u32 av)
 {
+	struct inode_security_struct *isec;
 	struct file_security_struct *fsec = file->f_security;
 	struct inode *inode = file_inode(file);
 	struct common_audit_data ad;
@@ -1691,8 +1692,15 @@ static int file_has_perm(const struct cred *cred,
 
 	/* av is zero if only checking access to the descriptor. */
 	rc = 0;
-	if (av)
-		rc = inode_has_perm(cred, inode, av, &ad);
+	if (av && likely(!IS_PRIVATE(inode))) {
+		if (fsec->union_isid) {
+			isec = inode->i_security;
+			rc = avc_has_perm(sid, fsec->union_isid, isec->sclass,
+					  av, &ad);
+		}
+		if (!rc)
+			rc = inode_has_perm(cred, inode, av, &ad);
+	}
 
 out:
 	return rc;