• James Morris's avatar
    [PATCH] SELinux: canonicalize getxattr() · d381d8a9
    James Morris authored
    This patch allows SELinux to canonicalize the value returned from
    getxattr() via the security_inode_getsecurity() hook, which is called after
    the fs level getxattr() function.
    
    The purpose of this is to allow the in-core security context for an inode
    to override the on-disk value.  This could happen in cases such as
    upgrading a system to a different labeling form (e.g.  standard SELinux to
    MLS) without needing to do a full relabel of the filesystem.
    
    In such cases, we want getxattr() to return the canonical security context
    that the kernel is using rather than what is stored on disk.
    
    The implementation hooks into the inode_getsecurity(), adding another
    parameter to indicate the result of the preceding fs-level getxattr() call,
    so that SELinux knows whether to compare a value obtained from disk with
    the kernel value.
    
    We also now allow getxattr() to work for mountpoint labeled filesystems
    (i.e.  mount with option context=foo_t), as we are able to return the
    kernel value to the user.
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    d381d8a9
xattr.c 11.1 KB