[PATCH v4 3/3] selinux: fix overlayfs mmap() and mprotect() access checks
Paul Moore
paul at paul-moore.com
Wed Apr 8 06:21:40 AEST 2026
On Tue, Apr 7, 2026 at 3:20 PM Stephen Smalley
<stephen.smalley.work at gmail.com> wrote:
> On Tue, Apr 7, 2026 at 10:35 AM Paul Moore <paul at paul-moore.com> wrote:
> > On Tue, Apr 7, 2026 at 8:14 AM Stephen Smalley
> > <stephen.smalley.work at gmail.com> wrote:
> > > On Thu, Apr 2, 2026 at 11:09 PM Paul Moore <paul at paul-moore.com> wrote:
> > > >
> > > > The existing SELinux security model for overlayfs is to allow access if
> > > > the current task is able to access the top level file (the "user" file)
> > > > and the mounter's credentials are sufficient to access the lower
> > > > level file (the "backing" file). Unfortunately, the current code does
> > > > not properly enforce these access controls for both mmap() and mprotect()
> > > > operations on overlayfs filesystems.
> > > >
> > > > This patch makes use of the newly created security_mmap_backing_file()
> > > > LSM hook to provide the missing backing file enforcement for mmap()
> > > > operations, and leverages the backing file API and new LSM blob to
> > > > provide the necessary information to properly enforce the mprotect()
> > > > access controls.
> > > >
> > > > Cc: stable at vger.kernel.org
> > > > Signed-off-by: Paul Moore <paul at paul-moore.com>
> > >
> > > Do you have tests for these changes showing the before and after (i.e.
> > > failing without your patches, passing with them)? I tried running an
> > > earlier set from Ondrej but they failed.
> >
> > A few months ago I sent you and Ondrej some feedback on those early
> > tests from Ondrej, but yes, I also had problems with Ondrej's tests.
> > I've been using a hacked up combination of the existing tests, some of
> > Ondrej's additions, and an additional debug/test patch to ensure the
> > labeling is correct. It's far from ideal, but I didn't invest time in
> > test development as I assumed Ondrej would continue his efforts there
> > (unfortunately it doesn't appear that he has?), and I wanted to focus
> > on getting a solution as soon as possible for obvious reasons.
>
> Ok, I'm happy to look at even unpolished tests - just want something I
> can use to exercise the before and after states.
Hopefully Ondrej can provide an updated patch.
--
paul-moore.com
More information about the Linux-erofs
mailing list