[PATCH v4 3/3] selinux: fix overlayfs mmap() and mprotect() access checks
Stephen Smalley
stephen.smalley.work at gmail.com
Tue Apr 7 22:14:36 AEST 2026
On Thu, Apr 2, 2026 at 11:09 PM Paul Moore <paul at paul-moore.com> wrote:
>
> The existing SELinux security model for overlayfs is to allow access if
> the current task is able to access the top level file (the "user" file)
> and the mounter's credentials are sufficient to access the lower
> level file (the "backing" file). Unfortunately, the current code does
> not properly enforce these access controls for both mmap() and mprotect()
> operations on overlayfs filesystems.
>
> This patch makes use of the newly created security_mmap_backing_file()
> LSM hook to provide the missing backing file enforcement for mmap()
> operations, and leverages the backing file API and new LSM blob to
> provide the necessary information to properly enforce the mprotect()
> access controls.
>
> Cc: stable at vger.kernel.org
> Signed-off-by: Paul Moore <paul at paul-moore.com>
Do you have tests for these changes showing the before and after (i.e.
failing without your patches, passing with them)? I tried running an
earlier set from Ondrej but they failed.
More information about the Linux-erofs
mailing list