Skip to content

Commit 03fedf9

Browse files
amir73ilMiklos Szeredi
authored andcommitted
ovl: skip getxattr of security labels
When inode has no listxattr op of its own (e.g. squashfs) vfs_listxattr calls the LSM inode_listsecurity hooks to list the xattrs that LSMs will intercept in inode_getxattr hooks. When selinux LSM is installed but not initialized, it will list the security.selinux xattr in inode_listsecurity, but will not intercept it in inode_getxattr. This results in -ENODATA for a getxattr call for an xattr returned by listxattr. This situation was manifested as overlayfs failure to copy up lower files from squashfs when selinux is built-in but not initialized, because ovl_copy_xattr() iterates the lower inode xattrs by vfs_listxattr() and vfs_getxattr(). ovl_copy_xattr() skips copy up of security labels that are indentified by inode_copy_up_xattr LSM hooks, but it does that after vfs_getxattr(). Since we are not going to copy them, skip vfs_getxattr() of the security labels. Reported-by: Michael Labriola <[email protected]> Tested-by: Michael Labriola <[email protected]> Link: https://lore.kernel.org/linux-unionfs/[email protected]/ Signed-off-by: Amir Goldstein <[email protected]> Signed-off-by: Miklos Szeredi <[email protected]>
1 parent e04527f commit 03fedf9

File tree

1 file changed

+8
-7
lines changed

1 file changed

+8
-7
lines changed

fs/overlayfs/copy_up.c

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -84,6 +84,14 @@ int ovl_copy_xattr(struct super_block *sb, struct dentry *old,
8484

8585
if (ovl_is_private_xattr(sb, name))
8686
continue;
87+
88+
error = security_inode_copy_up_xattr(name);
89+
if (error < 0 && error != -EOPNOTSUPP)
90+
break;
91+
if (error == 1) {
92+
error = 0;
93+
continue; /* Discard */
94+
}
8795
retry:
8896
size = vfs_getxattr(old, name, value, value_size);
8997
if (size == -ERANGE)
@@ -107,13 +115,6 @@ int ovl_copy_xattr(struct super_block *sb, struct dentry *old,
107115
goto retry;
108116
}
109117

110-
error = security_inode_copy_up_xattr(name);
111-
if (error < 0 && error != -EOPNOTSUPP)
112-
break;
113-
if (error == 1) {
114-
error = 0;
115-
continue; /* Discard */
116-
}
117118
error = vfs_setxattr(new, name, value, size, 0);
118119
if (error) {
119120
if (error != -EOPNOTSUPP || ovl_must_copy_xattr(name))

0 commit comments

Comments
 (0)