tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

selinux: allow kernfs symlinks to inherit parent directory context

Currently symlinks on kernel filesystems, like sysfs, are labeled on
creation with the parent filesystem root sid.

Allow symlinks to inherit the parent directory context, so fine-grained
kernfs labeling can be applied to symlinks too and checking contexts
doesn't complain about them.

For backward-compatibility this behavior is contained in a new policy
capability: genfs_seclabel_symlinks

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Christian Göttsche and committed by
Paul Moore 7470d0d1 06c2efe2

+13 -2
+3 -1
security/selinux/hooks.c
··· 1478 1478 /* Default to the fs superblock SID. */ 1479 1479 sid = sbsec->sid; 1480 1480 1481 - if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1481 + if ((sbsec->flags & SE_SBGENFS) && 1482 + (!S_ISLNK(inode->i_mode) || 1483 + selinux_policycap_genfs_seclabel_symlinks())) { 1482 1484 /* We must have a dentry to determine the label on 1483 1485 * procfs inodes */ 1484 1486 if (opt_dentry) {
+8
security/selinux/include/security.h
··· 79 79 POLICYDB_CAPABILITY_ALWAYSNETWORK, 80 80 POLICYDB_CAPABILITY_CGROUPSECLABEL, 81 81 POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, 82 + POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, 82 83 __POLICYDB_CAPABILITY_MAX 83 84 }; 84 85 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) ··· 212 211 struct selinux_state *state = &selinux_state; 213 212 214 213 return state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION]; 214 + } 215 + 216 + static inline bool selinux_policycap_genfs_seclabel_symlinks(void) 217 + { 218 + struct selinux_state *state = &selinux_state; 219 + 220 + return state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]; 215 221 } 216 222 217 223 int security_mls_enabled(struct selinux_state *state);
+2 -1
security/selinux/ss/services.c
··· 72 72 "extended_socket_class", 73 73 "always_check_network", 74 74 "cgroup_seclabel", 75 - "nnp_nosuid_transition" 75 + "nnp_nosuid_transition", 76 + "genfs_seclabel_symlinks" 76 77 }; 77 78 78 79 static struct selinux_ss selinux_ss;