diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S index 4d19508c55a3aa..b7ecaf9e5a4b36 100644 --- a/arch/arm64/kernel/head.S +++ b/arch/arm64/kernel/head.S @@ -195,6 +195,11 @@ section_table: .short 0 // NumberOfLineNumbers (0 for executables) .long 0xe0500020 // Characteristics (section flags) + /* CoreOS 64 byte verity hash value. */ + .org _head + 512 + .ascii "verity-hash" + .org _head + 512 + 64 + /* * EFI will load .text onwards at the 4k section alignment * described in the PE/COFF header. To ensure that instruction diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 603b6003e2e9ee..feb29df500966c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -832,10 +832,14 @@ static int selinux_set_mnt_opts(struct super_block *sb, } /* - * If this is a user namespace mount, no contexts are allowed - * on the command line and security labels must be ignored. + * If this is a user namespace mount and the filesystem type is not + * explicitly whitelisted, then no contexts are allowed on the command + * line and security labels must be ignored. */ - if (sb->s_user_ns != &init_user_ns) { + if (sb->s_user_ns != &init_user_ns && + strcmp(sb->s_type->name, "tmpfs") && + strcmp(sb->s_type->name, "ramfs") && + strcmp(sb->s_type->name, "devpts")) { if (context_sid || fscontext_sid || rootcontext_sid || defcontext_sid) { rc = -EACCES;