[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-security-module
Subject: Re: [PATCH 3/3][RFC] SELinux: don't check permissions for kernel
From: Stephen Smalley <sds () tycho ! nsa ! gov>
Date: 2008-12-19 12:52:51
Message-ID: 1229691171.4948.3.camel () localhost ! localdomain
[Download RAW message or body]
On Fri, 2008-12-19 at 12:07 +1100, James Morris wrote:
> Don't bother checking permissions when the kernel performs an internal
> mount, as this should always be allowed.
>
> Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> security/selinux/hooks.c | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3897758..4a44903 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2461,6 +2461,10 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
> if (rc)
> return rc;
>
> + /* Allow all mounts performed by the kernel */
> + if (flags & MS_KERNMOUNT)
> + return 0;
> +
> AVC_AUDIT_DATA_INIT(&ad, FS);
> ad.u.fs.path.dentry = sb->s_root;
> return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
--
Stephen Smalley
National Security Agency
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic