[PATCH v4 3/3] selinux: fix overlayfs mmap() and mprotect() access checks
Stephen Smalley
stephen.smalley.work at gmail.com
Wed Apr 8 05:20:06 AEST 2026
On Tue, Apr 7, 2026 at 10:35 AM Paul Moore <paul at paul-moore.com> wrote:
>
> On Tue, Apr 7, 2026 at 8:14 AM Stephen Smalley
> <stephen.smalley.work at gmail.com> wrote:
> > On Thu, Apr 2, 2026 at 11:09 PM Paul Moore <paul at paul-moore.com> wrote:
> > >
> > > The existing SELinux security model for overlayfs is to allow access if
> > > the current task is able to access the top level file (the "user" file)
> > > and the mounter's credentials are sufficient to access the lower
> > > level file (the "backing" file). Unfortunately, the current code does
> > > not properly enforce these access controls for both mmap() and mprotect()
> > > operations on overlayfs filesystems.
> > >
> > > This patch makes use of the newly created security_mmap_backing_file()
> > > LSM hook to provide the missing backing file enforcement for mmap()
> > > operations, and leverages the backing file API and new LSM blob to
> > > provide the necessary information to properly enforce the mprotect()
> > > access controls.
> > >
> > > Cc: stable at vger.kernel.org
> > > Signed-off-by: Paul Moore <paul at paul-moore.com>
> >
> > Do you have tests for these changes showing the before and after (i.e.
> > failing without your patches, passing with them)? I tried running an
> > earlier set from Ondrej but they failed.
>
> A few months ago I sent you and Ondrej some feedback on those early
> tests from Ondrej, but yes, I also had problems with Ondrej's tests.
> I've been using a hacked up combination of the existing tests, some of
> Ondrej's additions, and an additional debug/test patch to ensure the
> labeling is correct. It's far from ideal, but I didn't invest time in
> test development as I assumed Ondrej would continue his efforts there
> (unfortunately it doesn't appear that he has?), and I wanted to focus
> on getting a solution as soon as possible for obvious reasons.
Ok, I'm happy to look at even unpolished tests - just want something I
can use to exercise the before and after states.
More information about the Linux-erofs
mailing list