Re: [PATCH 3/3][RFC] SELinux: don't check permissions for kernel mounts

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: James Morris <jmorris@namei.org>
Cc: auke-jan.h.kok@intel.com, e1000-devel@lists.sourceforge.net,
	netdev@vger.kernel.org, Alexey Dobriyan <adobriyan@gmail.com>,
	Chris Wright <chrisw@sous-sol.org>,
	linux-security-module@vger.kernel.org,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Al Viro <viro@ftp.linux.org.uk>,
	Eric Paris <eparis@parisplace.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	David Miller <davem@davemloft.net>
Subject: Re: [PATCH 3/3][RFC] SELinux: don't check permissions for kernel mounts
Date: Fri, 19 Dec 2008 07:52:51 -0500	[thread overview]
Message-ID: <1229691171.4948.3.camel@localhost.localdomain> (raw)
In-Reply-To: <alpine.LRH.1.10.0812191206380.4137@tundra.namei.org>

On Fri, 2008-12-19 at 12:07 +1100, James Morris wrote:
> Don't bother checking permissions when the kernel performs an internal 
> mount, as this should always be allowed.
> 
> Signed-off-by: James Morris <jmorris@namei.org>

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

> ---
>  security/selinux/hooks.c |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3897758..4a44903 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2461,6 +2461,10 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
>  	if (rc)
>  		return rc;
>  
> +	/* Allow all mounts performed by the kernel */
> +	if (flags & MS_KERNMOUNT)
> +		return 0;
> +
>  	AVC_AUDIT_DATA_INIT(&ad, FS);
>  	ad.u.fs.path.dentry = sb->s_root;
>  	return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
-- 
Stephen Smalley
National Security Agency


------------------------------------------------------------------------------

next prev parent reply	other threads:[~2008-12-19 12:52 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-12-04  1:18 networking probs in next-20081203 Andrew Morton
2008-12-04 15:14 ` Alexey Dobriyan
2008-12-04 17:41   ` Kok, Auke
2008-12-04 17:52     ` Alexey Dobriyan
2008-12-04 18:11       ` [E1000-devel] " Stephen Smalley
2008-12-04 18:21         ` David Miller
2008-12-04 19:32           ` Stephen Smalley
2008-12-04 20:06             ` Stephen Smalley
2008-12-04 21:00               ` [E1000-devel] " Eric W. Biederman
2008-12-05  2:03                 ` James Morris
2008-12-05  7:49                   ` Eric W. Biederman
2008-12-05 14:12                 ` Stephen Smalley
2008-12-11 10:41                   ` James Morris
2008-12-12  5:24                     ` Alexey Dobriyan
2008-12-12  9:26                       ` James Morris
2008-12-12  9:29                         ` James Morris
2008-12-12 10:51                           ` Eric W. Biederman
2008-12-12 21:40                             ` [E1000-devel] " James Morris
2008-12-12 21:24                         ` Stephen Smalley
2008-12-15 13:28                           ` James Morris
2008-12-19  1:04                             ` [PATCH 0/3][RFC] Fix security and SELinux handling of proc/* filesystems James Morris
2008-12-19  1:05                               ` [PATCH 1/3][RFC] SELinux: correctly detect proc filesystems of the form "proc/foo" James Morris
2008-12-19 12:29                                 ` David P. Quigley
2008-12-19  1:06                               ` [PATCH 2/3][RFC] security: pass mount flags to security_sb_kern_mount() James Morris
2008-12-19 12:52                                 ` Stephen Smalley
2008-12-19  1:07                               ` [PATCH 3/3][RFC] SELinux: don't check permissions for kernel mounts James Morris
2008-12-19 12:52                                 ` Stephen Smalley [this message]
2008-12-19  6:40                               ` [PATCH 0/3][RFC] Fix security and SELinux handling of proc/* filesystems David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1229691171.4948.3.camel@localhost.localdomain \
    --to=sds@tycho.nsa.gov \
    --cc=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=auke-jan.h.kok@intel.com \
    --cc=chrisw@sous-sol.org \
    --cc=davem@davemloft.net \
    --cc=e1000-devel@lists.sourceforge.net \
    --cc=ebiederm@xmission.com \
    --cc=eparis@parisplace.org \
    --cc=jmorris@namei.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=viro@ftp.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).