diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5aa5fe036207cb..6980ae726cc32a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3474,10 +3474,72 @@ static int selinux_file_receive(struct file *file) return file_has_perm(cred, file, file_to_av(file)); } +/* + * We have a file opened on a unioned file system that falls through to a file + * on a lower layer. If there is a union inode, we try to get the label from + * that, otherwise we need to get it from the superblock. + * + * file->f_path points to the union layer and file->f_inode points to the lower + * layer. + */ +static int selinux_file_open_union(struct file *file, + struct file_security_struct *fsec, + const struct cred *cred) +{ + const struct superblock_security_struct *sbsec; + const struct inode_security_struct *isec, *dsec, *fisec; + const struct task_security_struct *tsec = current_security(); + struct common_audit_data ad; + struct dentry *union_dentry = file->f_path.dentry; + const struct inode *union_inode = d_inode(union_dentry); + const struct inode *lower_inode = file_inode(file); + struct dentry *dir; + int rc; + + sbsec = union_dentry->d_sb->s_security; + + if (union_inode) { + isec = union_inode->i_security; + fsec->union_isid = isec->sid; + } else if ((sbsec->flags & SE_SBINITIALIZED) && + (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { + fsec->union_isid = sbsec->mntpoint_sid; + } else { + dir = dget_parent(union_dentry); + dsec = d_inode(dir)->i_security; + + rc = security_transition_sid( + tsec->sid, dsec->sid, + inode_mode_to_security_class(lower_inode->i_mode), + &union_dentry->d_name, + &fsec->union_isid); + dput(dir); + if (rc) { + pr_warn("%s: security_transition_sid failed, rc=%d (name=%pD)\n", + __func__, -rc, file); + return rc; + } + } + + /* We need to check that the union file is allowed to be opened as well + * as checking that the lower file is allowed to be opened. + */ + if (unlikely(IS_PRIVATE(lower_inode))) + return 0; + + ad.type = LSM_AUDIT_DATA_PATH; + ad.u.path = file->f_path; + + fisec = lower_inode->i_security; + return avc_has_perm(cred_sid(cred), fsec->union_isid, fisec->sclass, + open_file_to_av(file), &ad); +} + static int selinux_file_open(struct file *file, const struct cred *cred) { struct file_security_struct *fsec; struct inode_security_struct *isec; + int rc; fsec = file->f_security; isec = file_inode(file)->i_security; @@ -3498,6 +3560,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred) * new inode label or new policy. * This check is not redundant - do not remove. */ + + if (d_inode(file->f_path.dentry) != file->f_inode) { + rc = selinux_file_open_union(file, fsec, cred); + if (rc < 0) + return rc; + } + return file_path_has_perm(cred, file, open_file_to_av(file)); } diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 81fa718d5cb388..f088c080aa9e8a 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -54,6 +54,7 @@ struct file_security_struct { u32 sid; /* SID of open file description */ u32 fown_sid; /* SID of file owner (for SIGIO) */ u32 isid; /* SID of inode at the time of file open */ + u32 union_isid; /* SID of would-be inodes in union top (or 0) */ u32 pseqno; /* Policy seqno at the time of file open */ };