git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Amir Goldstein <amir73il@gmail.com>
	Sat, 19 Dec 2020 10:16:08 +0000 (12:16 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 23 Feb 2021 13:00:31 +0000 (14:00 +0100)
commit	4dfce60487d6594612b9269e878d722522496198
tree	6ac5887d8cf682322f0aff6b0ac0c778b2c365ab	tree
parent	83515cf735cc53fb7030703c2a1881fe4a98f2a0	commit \| diff

ovl: skip getxattr of security labels

[ Upstream commit 03fedf93593c82538b18476d8c4f0e8f8435ea70 ]

When inode has no listxattr op of its own (e.g. squashfs) vfs_listxattr
calls the LSM inode_listsecurity hooks to list the xattrs that LSMs will
intercept in inode_getxattr hooks.

When selinux LSM is installed but not initialized, it will list the
security.selinux xattr in inode_listsecurity, but will not intercept it
in inode_getxattr. This results in -ENODATA for a getxattr call for an
xattr returned by listxattr.

This situation was manifested as overlayfs failure to copy up lower
files from squashfs when selinux is built-in but not initialized,
because ovl_copy_xattr() iterates the lower inode xattrs by
vfs_listxattr() and vfs_getxattr().

ovl_copy_xattr() skips copy up of security labels that are indentified by
inode_copy_up_xattr LSM hooks, but it does that after vfs_getxattr().
Since we are not going to copy them, skip vfs_getxattr() of the security
labels.

Reported-by: Michael Labriola <michael.d.labriola@gmail.com>
Tested-by: Michael Labriola <michael.d.labriola@gmail.com>
Link: https://lore.kernel.org/linux-unionfs/2nv9d47zt7.fsf@aldarion.sourceruckus.org/
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>