From: Stephen Smalley Date: Wed, 9 Nov 2005 05:34:33 +0000 (-0800) Subject: [PATCH] selinux: disable setxattr on mountpoint labeled filesystems X-Git-Tag: v2.6.15-rc1~391 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=25a74f3ba8efb394e9a30d6de37566bf03fd3de8;p=linux-2.6 [PATCH] selinux: disable setxattr on mountpoint labeled filesystems This patch disables the setting of SELinux xattrs on files created in filesystems labeled via mountpoint labeling (mounted with the context= option). selinux_inode_setxattr already prevents explicit setxattr from userspace on such filesystems, so this provides consistent behavior for file creation. Signed-off-by: Stephen Smalley Signed-off-by: James Morris Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 45c41490d5..fc774436a2 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1986,6 +1986,9 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, inode_security_set_sid(inode, newsid); + if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) + return -EOPNOTSUPP; + if (name) { namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); if (!namep)